Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
BUG: lib/harm & bots: Use new RSIT mapping
see CHANGELOG and NEWS

fixes #1380

  - replace `botnet drone` with `infected-system`
  - replace `infected system` with `infected-system`
  - replace `ids alert` with `ids-alert`
  - replace `c&c` with `c2server`
  - replace `malware configuration` with `malware-configuration`
  • Loading branch information
Sebastian Wagner committed May 14, 2019
1 parent 9d4f62b commit e25cf7c
Show file tree
Hide file tree
Showing 64 changed files with 257 additions and 176 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
Expand Up @@ -13,13 +13,21 @@ CHANGELOG
- Use `statistics_*` parameters for bot's statistics (#1402). - Use `statistics_*` parameters for bot's statistics (#1402).
- Introduce `collector_empty_process` for collectors with an empty `process()` method, hardcoded 1s minimum sleep time, preventing endless loops, causing high load (#1364). - Introduce `collector_empty_process` for collectors with an empty `process()` method, hardcoded 1s minimum sleep time, preventing endless loops, causing high load (#1364).
- `intelmq.lib.pipeline`: redis: OOM can also be low memory, add this to log message (#1405). - `intelmq.lib.pipeline`: redis: OOM can also be low memory, add this to log message (#1405).
- `intelmq.lib.harmonization`: ClassificationType: Update RSIT mapping (#1380):
- replace `botnet drone` with `infected-system`
- replace `infected system` with `infected-system`
- replace `ids alert` with `ids-alert`
- replace `c&c` with `c2server`
- replace `malware configuration` with `malware-configuration`
- sanitize replaces these values on the fly


### Development ### Development
- Applied isort to all core files and core-related test files, sorting the imports there (every thing except bots and bots' tests). - Applied isort to all core files and core-related test files, sorting the imports there (every thing except bots and bots' tests).


### Harmonization ### Harmonization


### Bots ### Bots
- Use the new RSIT types in several types, see above
#### Collectors #### Collectors


#### Parsers #### Parsers
Expand Down
28 changes: 28 additions & 0 deletions NEWS.md
Expand Up @@ -11,6 +11,12 @@ See the changelog for a full list of changes.
### Tools ### Tools


### Harmonization ### Harmonization
The allowed values for the `classification.type` field have been updated to the RSIT mapping. These values have changed and are automatically mapped:
- `botnet drone` with `infected-system`
- `infected system` with `infected-system`
- `ids alert` with `ids-alert`
- `c&c` with `c2server`
- `malware configuration` with `malware-configuration`


### Configuration ### Configuration
Four new values have been introduced to configure the statistics database. Add them to your `defaults.conf` file: Four new values have been introduced to configure the statistics database. Add them to your `defaults.conf` file:
Expand All @@ -22,6 +28,28 @@ Four new values have been introduced to configure the statistics database. Add t
### Libraries ### Libraries


### Postgres databases ### Postgres databases
The following statements optionally update existing data.
Please check if you did use these feed names and eventually adapt them for your setup!
```SQL
UPDATE events
SET "classification.type" = 'infected-system'
WHERE "classification.type" = 'botnet drone';
UPDATE events
SET "classification.type" = 'infected-system'
WHERE "classification.type" = 'infected system';
UPDATE events
SET "classification.type" = 'ids-alert'
WHERE "classification.type" = 'ids alert';
UPDATE events
SET "classification.type" = 'c2server'
WHERE "classification.type" = 'c&c';
UPDATE events
SET "classification.type" = 'malware-configuration'
WHERE "classification.type" = 'malware configuration';
```

In the section for 1.1.0 there was this command:
```
2.0.0.beta1 release (2019-04-10) 2.0.0.beta1 release (2019-04-10)
Expand Down
4 changes: 2 additions & 2 deletions docs/Feeds.md
Expand Up @@ -81,7 +81,7 @@ To add feeds to this file add them to `intelmq/etc/feeds.yaml` and then run
* * `columns`: `['time.source', 'source.ip', 'malware.name', 'status', 'extra.SBL', 'source.as_name', 'source.geolocation.cc']` * * `columns`: `['time.source', 'source.ip', 'malware.name', 'status', 'extra.SBL', 'source.as_name', 'source.geolocation.cc']`
* * `ignore_values`: `['', '', '', '', 'Not listed', '', '']` * * `ignore_values`: `['', '', '', '', 'Not listed', '', '']`
* * `skip_table_head`: `True` * * `skip_table_head`: `True`
* * `type`: `c&c` * * `type`: `c2server`




## Feodo Tracker IPs ## Feodo Tracker IPs
Expand Down Expand Up @@ -750,7 +750,7 @@ To add feeds to this file add them to `intelmq/etc/feeds.yaml` and then run
* * `columns`: `['time.source', 'source.url', 'source.ip', 'malware.name', '__IGNORE__']` * * `columns`: `['time.source', 'source.url', 'source.ip', 'malware.name', '__IGNORE__']`
* * `default_url_protocol`: `http://` * * `default_url_protocol`: `http://`
* * `skip_table_head`: `True` * * `skip_table_head`: `True`
* * `type`: `c&c` * * `type`: `c2server`




# DShield # DShield
Expand Down
16 changes: 11 additions & 5 deletions docs/Harmonization-fields.md
Expand Up @@ -130,14 +130,20 @@ Reference Security Incident Taxonomy Working Group – RSIT WG
https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/ https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/
with extensions. with extensions.


These old values are automatically mapped to the new ones:
'botnet drone' -> 'infected-system'
'ids alert' -> 'ids-alert'
'c&c' -> 'c2server'
'infected system' -> 'infected-system'
'malware configuration' -> 'malware-configuration'

Allowed values are: Allowed values are:
* application-compromise * application-compromise
* backdoor * backdoor
* blacklist * blacklist
* botnet drone
* brute-force * brute-force
* burglary * burglary
* c&c * c2server
* compromised * compromised
* copyright * copyright
* data-loss * data-loss
Expand All @@ -149,12 +155,12 @@ Allowed values are:
* dropzone * dropzone
* exploit * exploit
* harmful-speech * harmful-speech
* ids alert * ids-alert
* infected system * infected-system
* information-disclosure * information-disclosure
* leak * leak
* malware * malware
* malware configuration * malware-configuration
* malware-distribution * malware-distribution
* masquerade * masquerade
* other * other
Expand Down
4 changes: 2 additions & 2 deletions intelmq/bots/BOTS
Expand Up @@ -449,7 +449,7 @@
"filter_type": null, "filter_type": null,
"skip_header": true, "skip_header": true,
"time_format": null, "time_format": null,
"type": "c&c", "type": "c2server",
"type_translation": null "type_translation": null
} }
}, },
Expand All @@ -474,7 +474,7 @@
"split_index": 0, "split_index": 0,
"default_url_protocol": "http://", "default_url_protocol": "http://",
"time_format": null, "time_format": null,
"type": "c&c" "type": "c2server"
} }
}, },
"HpHosts": { "HpHosts": {
Expand Down
13 changes: 6 additions & 7 deletions intelmq/bots/experts/idea/expert.py
Expand Up @@ -30,15 +30,14 @@ class IdeaExpertBot(Bot):
"spam": "Abusive.Spam", "spam": "Abusive.Spam",
"scanner": "Recon.Scanning", "scanner": "Recon.Scanning",
"dropzone": "Information.UnauthorizedAccess", "dropzone": "Information.UnauthorizedAccess",
"infected system": "Malware", "infected-system": "Malware",
"malware configuration": "Malware", "malware-configuration": "Malware",
"botnet drone": "Malware",
"ransomware": "Malware", "ransomware": "Malware",
"malware": "Malware", "malware": "Malware",
"c&c": "Intrusion.Botnet", "c2server": "Intrusion.Botnet",
"exploit": "Attempt.Exploit", "exploit": "Attempt.Exploit",
"brute-force": "Attempt.Login", "brute-force": "Attempt.Login",
"ids alert": "Attempt.Exploit", "ids-alert": "Attempt.Exploit",
"defacement": "Intrusion.AppCompromise", "defacement": "Intrusion.AppCompromise",
"compromised": "Intrusion.AdminCompromise", "compromised": "Intrusion.AdminCompromise",
"backdoor": "Intrusion.AdminCompromise", "backdoor": "Intrusion.AdminCompromise",
Expand Down Expand Up @@ -84,8 +83,8 @@ class IdeaExpertBot(Bot):


"phishing": "Phishing", "phishing": "Phishing",
"dropzone": "Dropzone", "dropzone": "Dropzone",
"malware configuration": "MalwareConf", "malware-configuration": "MalwareConf",
"c&c": "CC", "c2server": "CC",
"dga domain": "DGA", "dga domain": "DGA",
"proxy": "Proxy", "proxy": "Proxy",
"tor": "Tor", "tor": "Tor",
Expand Down
9 changes: 4 additions & 5 deletions intelmq/bots/experts/taxonomy/expert.py
Expand Up @@ -34,7 +34,7 @@
"social-engineering": "information-gathering", "social-engineering": "information-gathering",
"brute-force": "intrusion attempts", "brute-force": "intrusion attempts",
"exploit": "intrusion attempts", "exploit": "intrusion attempts",
"ids alert": "intrusion attempts", # ENISA eCSIRT-II taxonomy: 'ids-alert' "ids-alert": "intrusion attempts",
"application-compromise": "intrusions", "application-compromise": "intrusions",
"backdoor": "intrusions", # not in ENISA eCSIRT-II taxonomy "backdoor": "intrusions", # not in ENISA eCSIRT-II taxonomy
"burglary": "intrusions", "burglary": "intrusions",
Expand All @@ -44,12 +44,11 @@
"unauthorized-command": "intrusions", # not in ENISA eCSIRT-II taxonomy "unauthorized-command": "intrusions", # not in ENISA eCSIRT-II taxonomy
"unauthorized-login": "intrusions", # not in ENISA eCSIRT-II taxonomy "unauthorized-login": "intrusions", # not in ENISA eCSIRT-II taxonomy
"unprivileged-account-compromise": "intrusions", "unprivileged-account-compromise": "intrusions",
"botnet drone": "malicious code", # not in ENISA eCSIRT-II taxonomy, deprecated -> infected system "c2server": "malicious code", # ENISA eCSIRT-II taxonomy: 'c2server'
"c&c": "malicious code", # ENISA eCSIRT-II taxonomy: 'c2server'
"dga domain": "malicious code", # not in ENISA eCSIRT-II taxonomy "dga domain": "malicious code", # not in ENISA eCSIRT-II taxonomy
"infected system": "malicious code", # ENISA eCSIRT-II taxonomy: 'infected-system' "infected-system": "malicious code", # ENISA eCSIRT-II taxonomy: 'infected-system'
"malware": "malicious code", # not in ENISA eCSIRT-II taxonomy "malware": "malicious code", # not in ENISA eCSIRT-II taxonomy
"malware configuration": "malicious code", # ENISA eCSIRT-II taxonomy: 'malware-configuration' "malware-configuration": "malicious code", # ENISA eCSIRT-II taxonomy: 'malware-configuration'
"malware-distribution": "malicious code", "malware-distribution": "malicious code",
"ransomware": "malicious code", # not in ENISA eCSIRT-II taxonomy "ransomware": "malicious code", # not in ENISA eCSIRT-II taxonomy
"blacklist": "other", "blacklist": "other",
Expand Down
2 changes: 1 addition & 1 deletion intelmq/bots/parsers/abusech/parser_domain.py
Expand Up @@ -32,7 +32,7 @@ def parse_line(self, line, report):
event = self.new_event(report) event = self.new_event(report)
event.add('time.source', self.lastgenerated) event.add('time.source', self.lastgenerated)
event.add('classification.taxonomy', 'malicious code') event.add('classification.taxonomy', 'malicious code')
event.add('classification.type', 'c&c') event.add('classification.type', 'c2server')
event.add('source.fqdn', line) event.add('source.fqdn', line)
event.add("raw", line) event.add("raw", line)
event.add("malware.name", SOURCE_FEEDS[report["feed.url"]]) event.add("malware.name", SOURCE_FEEDS[report["feed.url"]])
Expand Down
2 changes: 1 addition & 1 deletion intelmq/bots/parsers/abusech/parser_ip.py
Expand Up @@ -74,7 +74,7 @@ def __process_defaults(self, event, line, feed_url):
defaults = { defaults = {
('malware.name', FEEDS[feed_url]['malware']), ('malware.name', FEEDS[feed_url]['malware']),
('raw', line), ('raw', line),
('classification.type', 'c&c'), ('classification.type', 'c2server'),
('classification.taxonomy', 'malicious code'), ('classification.taxonomy', 'malicious code'),
('extra.feed_last_generated', self.__last_generated_date) ('extra.feed_last_generated', self.__last_generated_date)
} }
Expand Down
4 changes: 2 additions & 2 deletions intelmq/bots/parsers/abusech/parser_ransomware.py
Expand Up @@ -38,7 +38,7 @@ def process(self):
for nrow in csv.reader(io.StringIO(new_row)): for nrow in csv.reader(io.StringIO(new_row)):
ev = Event(report) ev = Event(report)
ev.add('classification.taxonomy', 'malicious code') ev.add('classification.taxonomy', 'malicious code')
ev.add('classification.type', 'c&c') ev.add('classification.type', 'c2server')
ev.add('classification.identifier', nrow[2].lower()) ev.add('classification.identifier', nrow[2].lower())
ev.add('time.source', nrow[0] + ' UTC', overwrite=True) ev.add('time.source', nrow[0] + ' UTC', overwrite=True)
ev.add('status', nrow[5]) ev.add('status', nrow[5])
Expand All @@ -51,7 +51,7 @@ def process(self):
else: else:
event = Event(report) event = Event(report)
event.add('classification.taxonomy', 'malicious code') event.add('classification.taxonomy', 'malicious code')
event.add('classification.type', 'c&c') event.add('classification.type', 'c2server')
event.add('classification.identifier', row[2].lower()) event.add('classification.identifier', row[2].lower())
event.add('time.source', row[0] + ' UTC') event.add('time.source', row[0] + ' UTC')
event.add('status', row[5]) event.add('status', row[5])
Expand Down
2 changes: 1 addition & 1 deletion intelmq/bots/parsers/alienvault/parser.py
Expand Up @@ -3,7 +3,7 @@
from intelmq.lib.bot import ParserBot from intelmq.lib.bot import ParserBot


CLASSIFICATION = { CLASSIFICATION = {
"c&c": "c&c", "c2server": "c2server",
"scanning host": "scanner", "scanning host": "scanner",
"malicious host": "malware", "malicious host": "malware",
"spamming": "spam", "spamming": "spam",
Expand Down
4 changes: 2 additions & 2 deletions intelmq/bots/parsers/bambenek/parser.py
Expand Up @@ -46,13 +46,13 @@ def parse_line(self, line, report):
if report['feed.url'] in BambenekParserBot.IPMASTERLIST: if report['feed.url'] in BambenekParserBot.IPMASTERLIST:
event.add('source.ip', value[0]) event.add('source.ip', value[0])
event.add('time.source', value[2] + ' UTC') event.add('time.source', value[2] + ' UTC')
event.add('classification.type', 'c&c') event.add('classification.type', 'c2server')
event.add('status', 'online') event.add('status', 'online')


elif report['feed.url'] in BambenekParserBot.DOMMASTERLIST: elif report['feed.url'] in BambenekParserBot.DOMMASTERLIST:
event.add('source.fqdn', value[0]) event.add('source.fqdn', value[0])
event.add('time.source', value[2] + ' UTC') event.add('time.source', value[2] + ' UTC')
event.add('classification.type', 'c&c') event.add('classification.type', 'c2server')
event.add('status', 'online') event.add('status', 'online')


elif report['feed.url'] in BambenekParserBot.DGA_FEED: elif report['feed.url'] in BambenekParserBot.DGA_FEED:
Expand Down
14 changes: 7 additions & 7 deletions intelmq/bots/parsers/blocklistde/parser.py
Expand Up @@ -9,37 +9,37 @@
"classification.type": "blacklist", "classification.type": "blacklist",
}, },
"ssh.txt": { "ssh.txt": {
"classification.type": "ids alert", "classification.type": "ids-alert",
"protocol.application": "ssh", "protocol.application": "ssh",
"event_description.text": "IP reported as having run attacks on the " "event_description.text": "IP reported as having run attacks on the "
"service SSH", "service SSH",
}, },
"mail.txt": { "mail.txt": {
"classification.type": "ids alert", "classification.type": "ids-alert",
"protocol.application": "smtp", "protocol.application": "smtp",
"event_description.text": "IP reported as having run attacks on the " "event_description.text": "IP reported as having run attacks on the "
"service Mail, Postfix", "service Mail, Postfix",
}, },
"apache.txt": { "apache.txt": {
"classification.type": "ids alert", "classification.type": "ids-alert",
"protocol.application": "http", "protocol.application": "http",
"event_description.text": "IP reported as having run attacks on the " "event_description.text": "IP reported as having run attacks on the "
"service Apache, Apache-DDoS, RFI-Attacks", "service Apache, Apache-DDoS, RFI-Attacks",
}, },
"imap.txt": { "imap.txt": {
"classification.type": "ids alert", "classification.type": "ids-alert",
"protocol.application": "imap", "protocol.application": "imap",
"event_description.text": "IP reported as having run attacks on the " "event_description.text": "IP reported as having run attacks on the "
"service IMAP, SASL, POP3", "service IMAP, SASL, POP3",
}, },
"ftp.txt": { "ftp.txt": {
"classification.type": "ids alert", "classification.type": "ids-alert",
"protocol.application": "ftp", "protocol.application": "ftp",
"event_description.text": "IP reported as having run attacks on the " "event_description.text": "IP reported as having run attacks on the "
"service FTP", "service FTP",
}, },
"sip.txt": { "sip.txt": {
"classification.type": "ids alert", "classification.type": "ids-alert",
"protocol.application": "sip", "protocol.application": "sip",
"event_description.text": "IP reported as having run attacks on the " "event_description.text": "IP reported as having run attacks on the "
"service SIP, VOIP, Asterisk", "service SIP, VOIP, Asterisk",
Expand All @@ -55,7 +55,7 @@
"2 months", "2 months",
}, },
"ircbot.txt": { "ircbot.txt": {
"classification.type": "infected system", "classification.type": "infected-system",
"protocol.application": "irc", "protocol.application": "irc",
}, },
"bruteforcelogin.txt": { "bruteforcelogin.txt": {
Expand Down
2 changes: 1 addition & 1 deletion intelmq/bots/parsers/blueliv/parser_crimeserver.py
Expand Up @@ -13,7 +13,7 @@
'EXPLOIT_KIT': 'exploit', 'EXPLOIT_KIT': 'exploit',
'BACKDOOR': 'backdoor', 'BACKDOOR': 'backdoor',
'TOR_IP': 'proxy', 'TOR_IP': 'proxy',
'C_AND_C': 'c&c' 'C_AND_C': 'c2server'
} }




Expand Down
8 changes: 4 additions & 4 deletions intelmq/bots/parsers/cert_eu/parser_csv.py
Expand Up @@ -19,17 +19,17 @@ class CertEUCSVParserBot(ParserBot):
abuse_to_intelmq = defaultdict(lambda: "unknown", { abuse_to_intelmq = defaultdict(lambda: "unknown", {
"backdoor": "backdoor", "backdoor": "backdoor",
"blacklist": "blacklist", "blacklist": "blacklist",
"botnet drone": "botnet drone", "botnet drone": "infected-system",
"brute-force": "brute-force", "brute-force": "brute-force",
"c&c": "c&c", "c2server": "c2server",
"compromised server": "compromised", "compromised server": "compromised",
"ddos infrastructure": "ddos", "ddos infrastructure": "ddos",
"ddos target": "ddos", "ddos target": "ddos",
"defacement": "defacement", "defacement": "defacement",
"dropzone": "dropzone", "dropzone": "dropzone",
"exploit url": "exploit", "exploit url": "exploit",
"ids alert": "ids alert", "ids alert": "ids-alert",
"malware configuration": "malware configuration", "malware-configuration": "malware-configuration",
"malware url": "malware", "malware url": "malware",
"phishing": "phishing", "phishing": "phishing",
"ransomware": "ransomware", "ransomware": "ransomware",
Expand Down
10 changes: 5 additions & 5 deletions intelmq/bots/parsers/cymru/parser_cap_program.py
Expand Up @@ -3,11 +3,11 @@
from intelmq.lib.bot import ParserBot from intelmq.lib.bot import ParserBot


MAPPING_STATIC = {'bot': { MAPPING_STATIC = {'bot': {
'classification.type': 'infected system'}, 'classification.type': 'infected-system'},
'bruteforce': { 'bruteforce': {
'classification.type': 'brute-force'}, 'classification.type': 'brute-force'},
'controller': { 'controller': {
'classification.type': 'c&c'}, 'classification.type': 'c2server'},
'darknet': {'classification.type': 'scanner', 'darknet': {'classification.type': 'scanner',
'classification.identifier': 'darknet'}, 'classification.identifier': 'darknet'},
'phishing': {'classification.type': 'phishing', 'phishing': {'classification.type': 'phishing',
Expand Down Expand Up @@ -76,7 +76,7 @@ def parse_line(self, line, report):
elif report_type == 'bots': elif report_type == 'bots':
# bots|192.0.2.1|ASN|YYYY-MM-DD HH:MM:SS|[srcport <PORT>] [mwtype <TYPE>] [destaddr <IPADDR>] [comment]|ASNAME # bots|192.0.2.1|ASN|YYYY-MM-DD HH:MM:SS|[srcport <PORT>] [mwtype <TYPE>] [destaddr <IPADDR>] [comment]|ASNAME
# TYPE can contain spaces -.- # TYPE can contain spaces -.-
event.add('classification.type', 'infected system') event.add('classification.type', 'infected-system')
comment_results = {} comment_results = {}
comment_key = None comment_key = None
comment_value = [] comment_value = []
Expand Down Expand Up @@ -113,7 +113,7 @@ def parse_line(self, line, report):
# ddosreport|192.0.2.1|ASN|YYYY-MM-DD HH:MM:SS|[<PROTOCOL> <PORT>] [category: <CATEGORY>] # ddosreport|192.0.2.1|ASN|YYYY-MM-DD HH:MM:SS|[<PROTOCOL> <PORT>] [category: <CATEGORY>]
# [servpass: <PASSWORD>] [SSL] [url: <URL>]|ASNAME # [servpass: <PASSWORD>] [SSL] [url: <URL>]|ASNAME
raise NotImplementedError('Report %r not implemented, format is unknown.' % report_type) raise NotImplementedError('Report %r not implemented, format is unknown.' % report_type)
event['classification.type'] = 'c&c' event['classification.type'] = 'c2server'
event['protocol.application'] = comment_split[0] event['protocol.application'] = comment_split[0]
event['source.port'] = comment_split[1] event['source.port'] = comment_split[1]
# TODO: category? password? ssl? # TODO: category? password? ssl?
Expand Down Expand Up @@ -198,7 +198,7 @@ def parse_line(self, line, report):
break break
elif report_type == 'toxbot': # TODO: verify elif report_type == 'toxbot': # TODO: verify
# toxbot|192.0.2.1|ASN|YYYY-MM-DD HH:MM:SS|srcport <SOURCE PORT>|ASNAME # toxbot|192.0.2.1|ASN|YYYY-MM-DD HH:MM:SS|srcport <SOURCE PORT>|ASNAME
event.add('classification.type', 'infected system') event.add('classification.type', 'infected-system')
event.add('classification.identifier', report_type) event.add('classification.identifier', report_type)
event.add('malware.name', report_type) event.add('malware.name', report_type)
event['extra.source_port'] = int(comment_split[1]) event['extra.source_port'] = int(comment_split[1])
Expand Down
4 changes: 2 additions & 2 deletions intelmq/bots/parsers/fraunhofer/parser_ddosattack_cnc.py
Expand Up @@ -2,7 +2,7 @@
""" """
The source provides a stream/list of newline separated JSON objects. Each line The source provides a stream/list of newline separated JSON objects. Each line
represents a single event observed by a DDoS C&C tracker, like an attack represents a single event observed by a DDoS C&C tracker, like an attack
command. This parser emits a c&c event for the C&C tracked server the command. This parser emits a c2server event for the C&C tracked server the
observed event originated from. If the bot receives a report with a known observed event originated from. If the bot receives a report with a known
C&C type but with an unknown message type, it generates a C&C event with a C&C type but with an unknown message type, it generates a C&C event with a
feed.accuracy given by the parameter unknown_messagetype_accuracy, if set. feed.accuracy given by the parameter unknown_messagetype_accuracy, if set.
Expand All @@ -27,7 +27,7 @@ def __parse_cnc_server(self, message, line, report):
'unsupported cnctype %s.' % message['cnctype']) 'unsupported cnctype %s.' % message['cnctype'])


event = self.__new_event(message, line, report) event = self.__new_event(message, line, report)
event.add('classification.type', 'c&c') event.add('classification.type', 'c2server')
event.add('classification.taxonomy', 'malicious code') event.add('classification.taxonomy', 'malicious code')
event.add('source.fqdn', message['cnc']['domain']) event.add('source.fqdn', message['cnc']['domain'])
event.add('source.ip', message['cnc']['ip']) event.add('source.ip', message['cnc']['ip'])
Expand Down

0 comments on commit e25cf7c

Please sign in to comment.