forked from certtools/intelmq
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
modify expert: add config for shadowserver changes
Add an example configuration for the modify bot. It reverts the changes of classification.identifier values in the ShadowServer parser bot effective in IntelMQ 3.1. see also certtools#2227
- Loading branch information
1 parent
c446a18
commit 2ec9d35
Showing
2 changed files
with
247 additions
and
0 deletions.
There are no files selected for viewing
245 changes: 245 additions & 0 deletions
245
intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,245 @@ | ||
[ | ||
{ | ||
"rulename": "Map new open-adb to old accessible-adb", | ||
"if": { | ||
"classification.identifier": "^open\\-adb$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-adb" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-afp to old accessible-afp", | ||
"if": { | ||
"classification.identifier": "^open\\-afp$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-afp" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-amqp to old accessible-amqp", | ||
"if": { | ||
"classification.identifier": "^open\\-amqp$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-amqp" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-ard to old accessible-ard", | ||
"if": { | ||
"classification.identifier": "^open\\-ard$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-ard" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-cisco-smart-install to old accessible-cisco-smart-install", | ||
"if": { | ||
"classification.identifier": "^open\\-cisco\\-smart\\-install$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-cisco-smart-install" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-coap to old accessible-coap", | ||
"if": { | ||
"classification.identifier": "^open\\-coap$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-coap" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-ftp to old accessible-ftp", | ||
"if": { | ||
"classification.identifier": "^open\\-ftp$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-ftp" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-hadoop to old accessible-hadoop", | ||
"if": { | ||
"classification.identifier": "^open\\-hadoop$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-hadoop" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-http to old accessible-http", | ||
"if": { | ||
"classification.identifier": "^open\\-http$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-http" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-rdpeudp to old accessible-msrdpeudp", | ||
"if": { | ||
"classification.identifier": "^open\\-rdpeudp$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-msrdpeudp" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-radmin to old accessible-radmin", | ||
"if": { | ||
"classification.identifier": "^open\\-radmin$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-radmin" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-rsync to old accessible-rsync", | ||
"if": { | ||
"classification.identifier": "^open\\-rsync$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-rsync" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-ubiquiti to old accessible-ubiquiti-discovery-service", | ||
"if": { | ||
"classification.identifier": "^open\\-ubiquiti$" | ||
}, | ||
"then": { | ||
"classification.identifier": "accessible-ubiquiti-discovery-service" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new honeypot-ddos-amp to old amplification-ddos-victim", | ||
"if": { | ||
"classification.identifier": "^honeypot\\-ddos\\-amp$" | ||
}, | ||
"then": { | ||
"classification.identifier": "amplification-ddos-victim" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new blocklist to old blacklisted-ip", | ||
"if": { | ||
"classification.identifier": "^blocklist$" | ||
}, | ||
"then": { | ||
"classification.identifier": "blacklisted-ip" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-dns to old dns-open-resolver", | ||
"if": { | ||
"classification.identifier": "^open\\-dns$" | ||
}, | ||
"then": { | ||
"classification.identifier": "dns-open-resolver" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new honeypot-http-scan to old honeypot-http-scan", | ||
"if": { | ||
"classification.identifier": "^honeypot\\-http\\-scan$" | ||
}, | ||
"then": { | ||
"classification.identifier": "honeypot-http-scan" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new honeypot-ics-scan to old ics", | ||
"if": { | ||
"classification.identifier": "^honeypot\\-ics\\-scan$" | ||
}, | ||
"then": { | ||
"classification.identifier": "ics" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-ntpmonitor to old ntp-monitor", | ||
"if": { | ||
"classification.identifier": "^open\\-ntpmonitor$" | ||
}, | ||
"then": { | ||
"classification.identifier": "ntp-monitor" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-ntp to old ntp-version", | ||
"if": { | ||
"classification.identifier": "^open\\-ntp$" | ||
}, | ||
"then": { | ||
"classification.identifier": "ntp-version" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-db2-discovery-service to old open-db2", | ||
"if": { | ||
"classification.identifier": "^open\\-db2\\-discovery\\-service$" | ||
}, | ||
"then": { | ||
"classification.identifier": "open-db2" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-isakmp to old open-ike", | ||
"if": { | ||
"classification.identifier": "^open\\-isakmp$" | ||
}, | ||
"then": { | ||
"classification.identifier": "open-ike" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-ldap-tcp to old open-ldap", | ||
"if": { | ||
"classification.identifier": "^open\\-ldap\\-tcp$" | ||
}, | ||
"then": { | ||
"classification.identifier": "open-ldap" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-nat-pmp to old open-natpmp", | ||
"if": { | ||
"classification.identifier": "^open\\-nat\\-pmp$" | ||
}, | ||
"then": { | ||
"classification.identifier": "open-natpmp" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-netbios to old open-netbios-nameservice", | ||
"if": { | ||
"classification.identifier": "^open\\-netbios$" | ||
}, | ||
"then": { | ||
"classification.identifier": "open-netbios-nameservice" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new open-netis-router to old open-netis", | ||
"if": { | ||
"classification.identifier": "^open\\-netis\\-router$" | ||
}, | ||
"then": { | ||
"classification.identifier": "open-netis" | ||
} | ||
}, | ||
{ | ||
"rulename": "Map new sinkhole-dns to old sinkholedns", | ||
"if": { | ||
"classification.identifier": "^sinkhole\\-dns$" | ||
}, | ||
"then": { | ||
"classification.identifier": "sinkholedns" | ||
} | ||
} | ||
] |
2 changes: 2 additions & 0 deletions
2
intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf.license
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
SPDX-FileCopyrightText: 2022 Intevation GmbH | ||
SPDX-License-Identifier: AGPL-3.0-or-later |