Skip to content

Commit

Permalink
modify expert: add config for shadowserver changes
Browse files Browse the repository at this point in the history 
Add an example configuration for the modify bot.
It reverts the changes of classification.identifier values in the
ShadowServer parser bot effective in IntelMQ 3.1.

see also certtools#2227
  • Loading branch information
@wagner-intevation
wagner-intevation committed Sep 20, 2022
1 parent c446a18 commit 2ec9d35
Show file tree
Hide file tree
Showing 2 changed files with 247 additions and 0 deletions.
245 changes: 245 additions & 0 deletions intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,245 @@
[
{
"rulename": "Map new open-adb to old accessible-adb",
"if": {
"classification.identifier": "^open\\-adb$"
},
"then": {
"classification.identifier": "accessible-adb"
}
},
{
"rulename": "Map new open-afp to old accessible-afp",
"if": {
"classification.identifier": "^open\\-afp$"
},
"then": {
"classification.identifier": "accessible-afp"
}
},
{
"rulename": "Map new open-amqp to old accessible-amqp",
"if": {
"classification.identifier": "^open\\-amqp$"
},
"then": {
"classification.identifier": "accessible-amqp"
}
},
{
"rulename": "Map new open-ard to old accessible-ard",
"if": {
"classification.identifier": "^open\\-ard$"
},
"then": {
"classification.identifier": "accessible-ard"
}
},
{
"rulename": "Map new open-cisco-smart-install to old accessible-cisco-smart-install",
"if": {
"classification.identifier": "^open\\-cisco\\-smart\\-install$"
},
"then": {
"classification.identifier": "accessible-cisco-smart-install"
}
},
{
"rulename": "Map new open-coap to old accessible-coap",
"if": {
"classification.identifier": "^open\\-coap$"
},
"then": {
"classification.identifier": "accessible-coap"
}
},
{
"rulename": "Map new open-ftp to old accessible-ftp",
"if": {
"classification.identifier": "^open\\-ftp$"
},
"then": {
"classification.identifier": "accessible-ftp"
}
},
{
"rulename": "Map new open-hadoop to old accessible-hadoop",
"if": {
"classification.identifier": "^open\\-hadoop$"
},
"then": {
"classification.identifier": "accessible-hadoop"
}
},
{
"rulename": "Map new open-http to old accessible-http",
"if": {
"classification.identifier": "^open\\-http$"
},
"then": {
"classification.identifier": "accessible-http"
}
},
{
"rulename": "Map new open-rdpeudp to old accessible-msrdpeudp",
"if": {
"classification.identifier": "^open\\-rdpeudp$"
},
"then": {
"classification.identifier": "accessible-msrdpeudp"
}
},
{
"rulename": "Map new open-radmin to old accessible-radmin",
"if": {
"classification.identifier": "^open\\-radmin$"
},
"then": {
"classification.identifier": "accessible-radmin"
}
},
{
"rulename": "Map new open-rsync to old accessible-rsync",
"if": {
"classification.identifier": "^open\\-rsync$"
},
"then": {
"classification.identifier": "accessible-rsync"
}
},
{
"rulename": "Map new open-ubiquiti to old accessible-ubiquiti-discovery-service",
"if": {
"classification.identifier": "^open\\-ubiquiti$"
},
"then": {
"classification.identifier": "accessible-ubiquiti-discovery-service"
}
},
{
"rulename": "Map new honeypot-ddos-amp to old amplification-ddos-victim",
"if": {
"classification.identifier": "^honeypot\\-ddos\\-amp$"
},
"then": {
"classification.identifier": "amplification-ddos-victim"
}
},
{
"rulename": "Map new blocklist to old blacklisted-ip",
"if": {
"classification.identifier": "^blocklist$"
},
"then": {
"classification.identifier": "blacklisted-ip"
}
},
{
"rulename": "Map new open-dns to old dns-open-resolver",
"if": {
"classification.identifier": "^open\\-dns$"
},
"then": {
"classification.identifier": "dns-open-resolver"
}
},
{
"rulename": "Map new honeypot-http-scan to old honeypot-http-scan",
"if": {
"classification.identifier": "^honeypot\\-http\\-scan$"
},
"then": {
"classification.identifier": "honeypot-http-scan"
}
},
{
"rulename": "Map new honeypot-ics-scan to old ics",
"if": {
"classification.identifier": "^honeypot\\-ics\\-scan$"
},
"then": {
"classification.identifier": "ics"
}
},
{
"rulename": "Map new open-ntpmonitor to old ntp-monitor",
"if": {
"classification.identifier": "^open\\-ntpmonitor$"
},
"then": {
"classification.identifier": "ntp-monitor"
}
},
{
"rulename": "Map new open-ntp to old ntp-version",
"if": {
"classification.identifier": "^open\\-ntp$"
},
"then": {
"classification.identifier": "ntp-version"
}
},
{
"rulename": "Map new open-db2-discovery-service to old open-db2",
"if": {
"classification.identifier": "^open\\-db2\\-discovery\\-service$"
},
"then": {
"classification.identifier": "open-db2"
}
},
{
"rulename": "Map new open-isakmp to old open-ike",
"if": {
"classification.identifier": "^open\\-isakmp$"
},
"then": {
"classification.identifier": "open-ike"
}
},
{
"rulename": "Map new open-ldap-tcp to old open-ldap",
"if": {
"classification.identifier": "^open\\-ldap\\-tcp$"
},
"then": {
"classification.identifier": "open-ldap"
}
},
{
"rulename": "Map new open-nat-pmp to old open-natpmp",
"if": {
"classification.identifier": "^open\\-nat\\-pmp$"
},
"then": {
"classification.identifier": "open-natpmp"
}
},
{
"rulename": "Map new open-netbios to old open-netbios-nameservice",
"if": {
"classification.identifier": "^open\\-netbios$"
},
"then": {
"classification.identifier": "open-netbios-nameservice"
}
},
{
"rulename": "Map new open-netis-router to old open-netis",
"if": {
"classification.identifier": "^open\\-netis\\-router$"
},
"then": {
"classification.identifier": "open-netis"
}
},
{
"rulename": "Map new sinkhole-dns to old sinkholedns",
"if": {
"classification.identifier": "^sinkhole\\-dns$"
},
"then": {
"classification.identifier": "sinkholedns"
}
}
]
2 changes: 2 additions & 0 deletions intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf.license
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
SPDX-FileCopyrightText: 2022 Intevation GmbH
SPDX-License-Identifier: AGPL-3.0-or-later

0 comments on commit 2ec9d35

Please sign in to comment.