From 2ec9d35a6c0106be49fc3f6920af8d8a10e420c1 Mon Sep 17 00:00:00 2001
From: Sebastian Wagner <swagner@intevation.de>
Date: Mon, 19 Sep 2022 14:31:35 +0200
Subject: [PATCH] modify expert: add config for shadowserver changes

Add an example configuration for the modify bot.
It reverts the changes of classification.identifier values in the
ShadowServer parser bot effective in IntelMQ 3.1.

see also certtools/intelmq#2227
---
 ...wserver-revert-identifier-changes-3.1.conf | 245 ++++++++++++++++++
 ...revert-identifier-changes-3.1.conf.license |   2 +
 2 files changed, 247 insertions(+)
 create mode 100644 intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf
 create mode 100644 intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf.license

diff --git a/intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf b/intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf
new file mode 100644
index 000000000..aedb6e53b
--- /dev/null
+++ b/intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf
@@ -0,0 +1,245 @@
+[
+  {
+    "rulename": "Map new open-adb to old accessible-adb",
+    "if": {
+      "classification.identifier": "^open\\-adb$"
+    },
+    "then": {
+      "classification.identifier": "accessible-adb"
+    }
+  },
+  {
+    "rulename": "Map new open-afp to old accessible-afp",
+    "if": {
+      "classification.identifier": "^open\\-afp$"
+    },
+    "then": {
+      "classification.identifier": "accessible-afp"
+    }
+  },
+  {
+    "rulename": "Map new open-amqp to old accessible-amqp",
+    "if": {
+      "classification.identifier": "^open\\-amqp$"
+    },
+    "then": {
+      "classification.identifier": "accessible-amqp"
+    }
+  },
+  {
+    "rulename": "Map new open-ard to old accessible-ard",
+    "if": {
+      "classification.identifier": "^open\\-ard$"
+    },
+    "then": {
+      "classification.identifier": "accessible-ard"
+    }
+  },
+  {
+    "rulename": "Map new open-cisco-smart-install to old accessible-cisco-smart-install",
+    "if": {
+      "classification.identifier": "^open\\-cisco\\-smart\\-install$"
+    },
+    "then": {
+      "classification.identifier": "accessible-cisco-smart-install"
+    }
+  },
+  {
+    "rulename": "Map new open-coap to old accessible-coap",
+    "if": {
+      "classification.identifier": "^open\\-coap$"
+    },
+    "then": {
+      "classification.identifier": "accessible-coap"
+    }
+  },
+  {
+    "rulename": "Map new open-ftp to old accessible-ftp",
+    "if": {
+      "classification.identifier": "^open\\-ftp$"
+    },
+    "then": {
+      "classification.identifier": "accessible-ftp"
+    }
+  },
+  {
+    "rulename": "Map new open-hadoop to old accessible-hadoop",
+    "if": {
+      "classification.identifier": "^open\\-hadoop$"
+    },
+    "then": {
+      "classification.identifier": "accessible-hadoop"
+    }
+  },
+  {
+    "rulename": "Map new open-http to old accessible-http",
+    "if": {
+      "classification.identifier": "^open\\-http$"
+    },
+    "then": {
+      "classification.identifier": "accessible-http"
+    }
+  },
+  {
+    "rulename": "Map new open-rdpeudp to old accessible-msrdpeudp",
+    "if": {
+      "classification.identifier": "^open\\-rdpeudp$"
+    },
+    "then": {
+      "classification.identifier": "accessible-msrdpeudp"
+    }
+  },
+  {
+    "rulename": "Map new open-radmin to old accessible-radmin",
+    "if": {
+      "classification.identifier": "^open\\-radmin$"
+    },
+    "then": {
+      "classification.identifier": "accessible-radmin"
+    }
+  },
+  {
+    "rulename": "Map new open-rsync to old accessible-rsync",
+    "if": {
+      "classification.identifier": "^open\\-rsync$"
+    },
+    "then": {
+      "classification.identifier": "accessible-rsync"
+    }
+  },
+  {
+    "rulename": "Map new open-ubiquiti to old accessible-ubiquiti-discovery-service",
+    "if": {
+      "classification.identifier": "^open\\-ubiquiti$"
+    },
+    "then": {
+      "classification.identifier": "accessible-ubiquiti-discovery-service"
+    }
+  },
+  {
+    "rulename": "Map new honeypot-ddos-amp to old amplification-ddos-victim",
+    "if": {
+      "classification.identifier": "^honeypot\\-ddos\\-amp$"
+    },
+    "then": {
+      "classification.identifier": "amplification-ddos-victim"
+    }
+  },
+  {
+    "rulename": "Map new blocklist to old blacklisted-ip",
+    "if": {
+      "classification.identifier": "^blocklist$"
+    },
+    "then": {
+      "classification.identifier": "blacklisted-ip"
+    }
+  },
+  {
+    "rulename": "Map new open-dns to old dns-open-resolver",
+    "if": {
+      "classification.identifier": "^open\\-dns$"
+    },
+    "then": {
+      "classification.identifier": "dns-open-resolver"
+    }
+  },
+  {
+    "rulename": "Map new honeypot-http-scan to old honeypot-http-scan",
+    "if": {
+      "classification.identifier": "^honeypot\\-http\\-scan$"
+    },
+    "then": {
+      "classification.identifier": "honeypot-http-scan"
+    }
+  },
+  {
+    "rulename": "Map new honeypot-ics-scan to old ics",
+    "if": {
+      "classification.identifier": "^honeypot\\-ics\\-scan$"
+    },
+    "then": {
+      "classification.identifier": "ics"
+    }
+  },
+  {
+    "rulename": "Map new open-ntpmonitor to old ntp-monitor",
+    "if": {
+      "classification.identifier": "^open\\-ntpmonitor$"
+    },
+    "then": {
+      "classification.identifier": "ntp-monitor"
+    }
+  },
+  {
+    "rulename": "Map new open-ntp to old ntp-version",
+    "if": {
+      "classification.identifier": "^open\\-ntp$"
+    },
+    "then": {
+      "classification.identifier": "ntp-version"
+    }
+  },
+  {
+    "rulename": "Map new open-db2-discovery-service to old open-db2",
+    "if": {
+      "classification.identifier": "^open\\-db2\\-discovery\\-service$"
+    },
+    "then": {
+      "classification.identifier": "open-db2"
+    }
+  },
+  {
+    "rulename": "Map new open-isakmp to old open-ike",
+    "if": {
+      "classification.identifier": "^open\\-isakmp$"
+    },
+    "then": {
+      "classification.identifier": "open-ike"
+    }
+  },
+  {
+    "rulename": "Map new open-ldap-tcp to old open-ldap",
+    "if": {
+      "classification.identifier": "^open\\-ldap\\-tcp$"
+    },
+    "then": {
+      "classification.identifier": "open-ldap"
+    }
+  },
+  {
+    "rulename": "Map new open-nat-pmp to old open-natpmp",
+    "if": {
+      "classification.identifier": "^open\\-nat\\-pmp$"
+    },
+    "then": {
+      "classification.identifier": "open-natpmp"
+    }
+  },
+  {
+    "rulename": "Map new open-netbios to old open-netbios-nameservice",
+    "if": {
+      "classification.identifier": "^open\\-netbios$"
+    },
+    "then": {
+      "classification.identifier": "open-netbios-nameservice"
+    }
+  },
+  {
+    "rulename": "Map new open-netis-router to old open-netis",
+    "if": {
+      "classification.identifier": "^open\\-netis\\-router$"
+    },
+    "then": {
+      "classification.identifier": "open-netis"
+    }
+  },
+  {
+    "rulename": "Map new sinkhole-dns to old sinkholedns",
+    "if": {
+      "classification.identifier": "^sinkhole\\-dns$"
+    },
+    "then": {
+      "classification.identifier": "sinkholedns"
+    }
+  }
+]
diff --git a/intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf.license b/intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf.license
new file mode 100644
index 000000000..bf0682225
--- /dev/null
+++ b/intelmq/bots/experts/modify/examples/shadowserver-revert-identifier-changes-3.1.conf.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 Intevation GmbH
+SPDX-License-Identifier: AGPL-3.0-or-later