Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shadowserver parser: drone feed has spam events #1271

Closed
ghost opened this issue Jul 12, 2018 · 2 comments
Closed

shadowserver parser: drone feed has spam events #1271

ghost opened this issue Jul 12, 2018 · 2 comments
Labels
bug Indicates an unexpected problem or unintended behavior component: bots
Milestone
1.1.1

Comments

@ghost
Copy link

ghost commented Jul 12, 2018

The drone report contains events that are actually spam and not malware.

"timestamp","ip","port","asn","geo","region","city","hostname","type","infection","url","agent","cc_ip","cc_port","cc_asn","cc_geo","cc_dns","count","proxy","application","p0f_genre","p0f_detail","machine_name","id","naics","sic","cc_naics","cc_sic","sector","cc_sector","ssl_cipher","family","tag","public_source"
"2018-07-10 18:50:25","127.0.0.1","","64496","AT","VIENNA","VIENNA","example.com","tcp","spam","https://example.com/link","","","","","","","","","","","","","","0","0","","","","","","","spam",""

These are wrongly classified as infected system/malware.

possible upgrade statement:

UPDATE events
   SET "classification.taxonomy" = 'abusive content', "classification.type" = 'spam', "classification.identifier" = 'spam'
   WHERE "malware.name" = 'spam' AND "feed.name" = 'Drone';

cc @th-certbund
@ghost ghost added bug Indicates an unexpected problem or unintended behavior component: bots labels Jul 12, 2018
@ghost ghost added this to the 1.0.6 milestone Jul 12, 2018
@th-certbund
Copy link
Contributor

Looks like those events in the drone report are messed up.
"hostname" usually is the reverse-lookup for the source ip but with those events it is the hostname included in "url". :-/
I've added events tagged as "spam" in the drone reports to our blacklist to completely drop them.

@ghost
Copy link
Author

ghost commented Aug 21, 2018

Asked shadowserver about the URL's meaning

possible fix in e25de3d

@ghost ghost modified the milestones: 1.0.6, 1.1.1 Sep 5, 2018
@ghost ghost closed this as completed in e25de3d Oct 10, 2018
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Indicates an unexpected problem or unintended behavior component: bots
Projects
None yet
Milestone
1.1.1
Development

No branches or pull requests
1 participant
@th-certbund