Merge pull request #2338 from certtools/shadowserver-20230315

Add 'IPv6-Vulnerable-Exchange' alias and 'Accessible-WS-Discovery-Ser…

Author: sebix

CHANGELOG.md

@@ -20,6 +20,9 @@ CHANGELOG
 #### Collectors
 
 #### Parsers
+- `intelmq.bots.parsers.shadowserver._config`:
+  - Added 'IPv6-Vulnerable-Exchange' alias and 'Accessible-WS-Discovery-Service' report. (PR#2338 by elsif2)
+  - Removed unused 'p0f_genre' and 'p0f_detail' from the 'DNS-Open-Resolvers' report. (PR#2338 by elsif2)
 
 #### Experts
 

intelmq/bots/parsers/shadowserver/_config.py

@@ -1557,8 +1557,6 @@ def scan_exchange_identifier(field):
         ('source.geolocation.cc', 'geo'),
         ('source.geolocation.region', 'region'),
         ('source.geolocation.city', 'city'),
-        ('os.name', 'p0f_genre'),
-        ('os.version', 'p0f_detail'),
         ('extra.', 'naics', invalidate_zero),
         ('extra.', 'sic', invalidate_zero),
         ('extra.', 'sector', validate_to_none),
@@ -3392,7 +3390,7 @@ def scan_exchange_identifier(field):
     },
 }
 
-# https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-SNMP
+# https://www.shadowserver.org/what-we-do/network-reporting/open-snmp-report/
 scan_snmp = {
     'required_fields': [
         ('time.source', 'timestamp', add_UTC_to_timestamp),
@@ -4067,6 +4065,37 @@ def scan_exchange_identifier(field):
     },
 }
 
+# https://www.shadowserver.org/what-we-do/network-reporting/accessible-ws-discovery-service-report/
+scan_ws_discovery = {
+    'required_fields': [
+        ('time.source', 'timestamp', add_UTC_to_timestamp),
+        ('source.ip', 'ip', validate_ip),
+        ('source.port', 'port', convert_int),
+    ],
+    'optional_fields': [
+        ('protocol.transport', 'protocol'),
+        ('source.reverse_dns', 'hostname'),
+        ('extra.', 'tag', validate_to_none),
+        ('source.asn', 'asn', invalidate_zero),
+        ('source.geolocation.cc', 'geo'),
+        ('source.geolocation.region', 'region'),
+        ('source.geolocation.city', 'city'),
+        ('extra.source.naics', 'naics', invalidate_zero),
+        ('extra.source.sic', 'sic', invalidate_zero),
+        ('extra.source.sector', 'sector', validate_to_none),
+        ('extra.', 'response_size', convert_int),
+        ('extra.', 'amplification', convert_float),
+        ('extra.', 'error', validate_to_none),
+        ('extra.', 'raw_response', validate_to_none),
+    ],
+    'constant_fields': {
+        'classification.taxonomy': 'vulnerable',
+        'classification.type': 'vulnerable-system',
+        'protocol.application': 'ws-discovery',
+        'classification.identifier': 'open-ws-discovery',
+    },
+}
+
 # https://www.shadowserver.org/what-we-do/network-reporting/accessible-xdmcp-service-report/
 scan_xdmcp = {
     'required_fields': [
@@ -4116,6 +4145,13 @@ def scan_exchange_identifier(field):
         ('extra.', 'source', validate_to_none),
         ('extra.', 'sender', validate_to_none),
         ('extra.', 'subject', validate_to_none),
+        ('source.ip', 'src_ip', validate_ip),
+        ('source.asn', 'src_asn', invalidate_zero),
+        ('source.geolocation.cc', 'src_geo'),
+        ('source.geolocation.region', 'src_region'),
+        ('source.geolocation.city', 'src_city'),
+        ('extra.source.naics', 'src_naics', invalidate_zero),
+        ('extra.source.sector', 'src_sector', validate_to_none),
         ('malware.hash.md5', 'md5', validate_to_none),
     ],
     'constant_fields': {
@@ -4186,6 +4222,7 @@ def scan_exchange_identifier(field):
     ('Sandbox-URL', 'sandbox_url', sandbox_url),
     ('IPv6-Accessible-CWMP', 'scan6_cwmp', scan_cwmp),
     ('IPv6-DNS-Open-Resolvers', 'scan6_dns', scan_dns),
+    ('IPv6-Vulnerable-Exchange', 'scan6_exchange', scan_exchange),
     ('IPv6-Accessible-FTP', 'scan6_ftp', scan_ftp),
     ('IPv6-Accessible-HTTP', 'scan6_http', scan_http),
     ('IPv6-Vulnerable-HTTP', 'scan6_http_vulnerable', scan_http_vulnerable),
@@ -4277,6 +4314,7 @@ def scan_exchange_identifier(field):
     ('Open-TFTP', 'scan_tftp', scan_tftp),
     ('Accessible-Ubiquiti-Discovery-Service', 'scan_ubiquiti', scan_ubiquiti),
     ('Accessible-VNC', 'scan_vnc', scan_vnc),
+    ('Accessible-WS-Discovery-Service', 'scan_ws_discovery', scan_ws_discovery),
     ('Open-XDMCP', 'scan_xdmcp', scan_xdmcp),
     ('Spam-URL', 'spam_url', spam_url),
     ('Special', 'special', special),

intelmq/tests/bots/parsers/shadowserver/test_scan_ws_discovery.py

@@ -0,0 +1,119 @@
+# SPDX-FileCopyrightText: 2022 Shadowserver Foundation
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/scan_ws_discovery.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Accessible-WS-Discovery-Service',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2010-02-10T00:00:00+00:00",
+                  "extra.file_name": "2010-02-10-scan_ws_discovery-test.csv",
+                  }
+EVENTS = [
+{
+    '__type': 'Event',
+    'classification.identifier': 'open-ws-discovery',
+    'classification.taxonomy': 'vulnerable',
+    'classification.type': 'vulnerable-system',
+    'extra.amplification': 164.83,
+    'extra.error': 'Validation constraint violation: SOAP message expected',
+    'extra.raw_response': 'c2FtcGxlIHJlc3BvbnNlIGRhdGEK',
+    'extra.response_size': 989,
+    'extra.source.sector': 'Communications, Service Provider, and Hosting Service',
+    'extra.tag': 'ws-discovery',
+    'feed.name': 'Accessible-WS-Discovery-Service',
+    'protocol.application': 'ws-discovery',
+    'protocol.transport': 'udp',
+    'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+    'source.asn': 64512,
+    'source.geolocation.cc': 'ZZ',
+    'source.geolocation.city': 'City',
+    'source.geolocation.region': 'Region',
+    'source.ip': '192.168.0.1',
+    'source.port': 3702,
+    'source.reverse_dns': 'node01.example.com',
+    'time.source': '2010-02-10T00:00:00+00:00'
+},
+{
+   '__type': 'Event',
+    'classification.identifier': 'open-ws-discovery',
+    'classification.taxonomy': 'vulnerable',
+    'classification.type': 'vulnerable-system',
+    'extra.amplification': 183.6,
+    'extra.error': 'Validation constraint violation: missing root element',
+    'extra.raw_response': 'c2FtcGxlIHJlc3BvbnNlIGRhdGEK',
+    'extra.response_size': 918,
+    'extra.source.sector': 'Communications, Service Provider, and Hosting Service',
+    'extra.tag': 'ws-discovery',
+    'feed.name': 'Accessible-WS-Discovery-Service',
+    'protocol.application': 'ws-discovery',
+    'protocol.transport': 'udp',
+    'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+    'source.asn': 64512,
+    'source.geolocation.cc': 'ZZ',
+    'source.geolocation.city': 'City',
+    'source.geolocation.region': 'Region',
+    'source.ip': '192.168.0.2',
+    'source.port': 3702,
+    'source.reverse_dns': 'node02.example.com',
+    'time.source': '2010-02-10T00:00:01+00:00'
+},
+{
+   '__type': 'Event',
+    'classification.identifier': 'open-ws-discovery',
+    'classification.taxonomy': 'vulnerable',
+    'classification.type': 'vulnerable-system',
+    'extra.amplification': 197.8,
+    'extra.error': 'Validation constraint violation: SOAP message expected',
+    'extra.raw_response': 'c2FtcGxlIHJlc3BvbnNlIGRhdGEK',
+    'extra.response_size': 989,
+    'extra.source.sector': 'Communications, Service Provider, and Hosting Service',
+    'extra.tag': 'ws-discovery',
+    'feed.name': 'Accessible-WS-Discovery-Service',
+    'protocol.application': 'ws-discovery',
+    'protocol.transport': 'udp',
+    'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+    'source.asn': 64512,
+    'source.geolocation.cc': 'ZZ',
+    'source.geolocation.city': 'City',
+    'source.geolocation.region': 'Region',
+    'source.ip': '192.168.0.3',
+    'source.port': 3702,
+    'source.reverse_dns': 'node03.example.com',
+    'time.source': '2010-02-10T00:00:02+00:00'
+}
+]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()

intelmq/tests/bots/parsers/shadowserver/testdata/scan_ws_discovery.csv

@@ -0,0 +1,4 @@
+"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sector","response_size","amplification","error","raw_response"
+"2010-02-10 00:00:00",192.168.0.1,udp,3702,node01.example.com,ws-discovery,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",989,164.83,"Validation constraint violation: SOAP message expected",c2FtcGxlIHJlc3BvbnNlIGRhdGEK
+"2010-02-10 00:00:01",192.168.0.2,udp,3702,node02.example.com,ws-discovery,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",918,183.60,"Validation constraint violation: missing root element",c2FtcGxlIHJlc3BvbnNlIGRhdGEK
+"2010-02-10 00:00:02",192.168.0.3,udp,3702,node03.example.com,ws-discovery,64512,ZZ,Region,City,0,0,"Communications, Service Provider, and Hosting Service",989,197.80,"Validation constraint violation: SOAP message expected",c2FtcGxlIHJlc3BvbnNlIGRhdGEK

intelmq/tests/bots/parsers/shadowserver/testdata/scan_ws_discovery.csv.license

@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2023 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later