From 75cd169452026f2dd0df5642241774ed701b563d Mon Sep 17 00:00:00 2001 From: JdeGeit <125923512+JdeGeit@users.noreply.github.com> Date: Mon, 28 Jul 2025 10:16:02 +0200 Subject: [PATCH 1/2] Add new feeds to parser --- config/Shadowserver.php | 188 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 188 insertions(+) diff --git a/config/Shadowserver.php b/config/Shadowserver.php index 87cdd9b..94ade60 100644 --- a/config/Shadowserver.php +++ b/config/Shadowserver.php @@ -733,6 +733,7 @@ ], ], + //https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/ 'compromised_website' => [ 'class' => 'COMPROMISED_WEBSITE', 'type' => 'ABUSE', @@ -753,6 +754,28 @@ ], ], + //https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/ + 'compromised_website6' => [ + 'class' => 'COMPROMISED_WEBSITE', + 'type' => 'ABUSE', + 'enabled' => true, + 'fields' => [ + 'ip', + 'timestamp', + 'http_host', + 'category', + 'tag', + 'redirect_target', + ], + 'filters' => [ + 'asn', + 'geo', + 'region', + 'city', + ], + ], + + 'cwsandbox_url' => [ 'class' => 'MALWARE_INFECTION', 'type' => 'ABUSE', @@ -1633,6 +1656,24 @@ 'city', ], ], + + //https://www.shadowserver.org/what-we-do/network-reporting/netcore-netis-router-vulnerability-scan-report/ + 'scan_netis_router' => [ + 'class' => 'NETCORE_NETIS_ROUTER_VULNERABILITY_SCAN_REPORT', + 'type' => 'INFO', + 'enabled' => true, + 'fields' => [ + 'timestamp', + 'ip', + 'port', + ], + 'filters' =>[ + 'asn', + 'geo', + 'region', + 'city', + ], + ], //https://www.shadowserver.org/what-we-do/network-reporting/open-db2-discovery-service-report/ 'scan_db2' => [ @@ -1736,6 +1777,28 @@ 'response', ], ], + + //https://www.shadowserver.org/what-we-do/network-reporting/open-ipp-report/ + 'scan6_ipp' => [ + 'class' => 'OPEN_IPP', + 'type' => 'INFO', + 'enabled' => true, + 'fields' => [ + 'ip', + 'timestamp', + 'protocol', + 'port', + ], + 'filters' => [ + 'asn', + 'geo', + 'region', + 'city', + 'naics', + 'sic', + 'response', + ], + ], //https://www.shadowserver.org/what-we-do/network-reporting/accessible-radmin-report/ 'scan_radmin' => [ @@ -2452,6 +2515,131 @@ ], ], + //https://www.shadowserver.org/what-we-do/network-reporting/accessible-kubernetes-api-server-report/ + 'scan_kubernetes' => [ + 'class' => 'ACCESSIBLE_KUBERNETES', + 'type' => 'INFO', + 'enabled' => true, + 'fields' => [ + 'timestamp', + 'ip', + 'hostname', + 'protocol', + 'port', + ], + 'filters' => [ + 'asn', + 'geo', + 'region', + 'city', + 'naics', + ], + ], + + //https://www.shadowserver.org/what-we-do/network-reporting/accessible-ms-rpc-service-report/ + 'scan_msrpc' => [ + 'class' => 'ACCESSIBLE_MSRPC', + 'type' => 'INFO', + 'enabled' => true, + 'fields' => [ + 'timestamp', + 'ip', + 'hostname', + 'protocol', + 'port', + ], + 'filters' => [ + 'asn', + 'geo', + 'region', + 'city', + 'naics', + ], + ], + + //https://www.shadowserver.org/what-we-do/network-reporting/accessible-imap-report/ + 'scan_imap' => [ + 'class' => 'ACCESSIBLE_IMAP', + 'type' => 'INFO', + 'enabled' => true, + 'fields' => [ + 'timestamp', + 'ip', + 'hostname', + 'protocol', + 'port', + ], + 'filters' => [ + 'asn', + 'geo', + 'region', + 'city', + 'naics', + ], + ], + + //https://www.shadowserver.org/what-we-do/network-reporting/accessible-imap-report/ + 'scan6_imap' => [ + 'class' => 'ACCESSIBLE_IMAP', + 'type' => 'INFO', + 'enabled' => true, + 'fields' => [ + 'timestamp', + 'ip', + 'hostname', + 'protocol', + 'port', + ], + 'filters' => [ + 'asn', + 'geo', + 'region', + 'city', + 'naics', + ], + ], + + //https://www.shadowserver.org/what-we-do/network-reporting/accessible-pop3-report/ + 'scan_pop3' => [ + 'class' => 'ACCESSIBLE_POP3', + 'type' => 'INFO', + 'enabled' => true, + 'fields' => [ + 'timestamp', + 'ip', + 'hostname', + 'protocol', + 'port', + ], + 'filters' => [ + 'asn', + 'geo', + 'region', + 'city', + 'naics', + ], + ], + + //https://www.shadowserver.org/what-we-do/network-reporting/accessible-pop3-report/ + 'scan6_pop3' => [ + 'class' => 'ACCESSIBLE_POP3', + 'type' => 'INFO', + 'enabled' => true, + 'fields' => [ + 'timestamp', + 'ip', + 'hostname', + 'protocol', + 'port', + ], + 'filters' => [ + 'asn', + 'geo', + 'region', + 'city', + 'naics', + ], + ], ], ]; From 979c32dffc3e1658c8861815b1c04afcf586d17e Mon Sep 17 00:00:00 2001 From: JdeGeit <125923512+JdeGeit@users.noreply.github.com> Date: Thu, 21 Aug 2025 17:35:24 +0200 Subject: [PATCH 2/2] Update Shadowserver.php cleaned out some filters that are no longer/not used in shadowserver reports --- config/Shadowserver.php | 34 ++++++---------------------------- 1 file changed, 6 insertions(+), 28 deletions(-) diff --git a/config/Shadowserver.php b/config/Shadowserver.php index 94ade60..246bc24 100644 --- a/config/Shadowserver.php +++ b/config/Shadowserver.php @@ -59,7 +59,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -73,7 +72,7 @@ 'timestamp', 'port', 'server_type', - 'clisterid', + 'clusterid', 'total_disk', 'livenodes', 'namenodeaddress', @@ -85,7 +84,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -128,7 +126,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -148,7 +145,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -168,7 +164,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -188,7 +183,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -209,7 +203,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -230,7 +223,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -251,7 +243,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -272,7 +263,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -332,7 +322,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -352,7 +341,6 @@ 'region', 'city', 'naics', - 'sic', 'sector', ], ], @@ -373,7 +361,6 @@ 'region', 'city', 'naics', - 'sic', 'sector', ], ], @@ -395,7 +382,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -417,7 +403,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -442,7 +427,6 @@ 'region', 'city', 'naics', - 'sic', ], ], @@ -701,7 +685,7 @@ 'port', 'hostname', 'packets', - 'size', + 'response_size', ], 'filters' => [ 'asn', @@ -723,7 +707,7 @@ 'port', 'hostname', 'packets', - 'size', + 'response_size', ], 'filters' => [ 'asn', @@ -998,6 +982,7 @@ ], ], + // https://www.shadowserver.org/what-we-do/network-reporting/open-ssdp-report/ 'scan_ssdp' => [ 'class' => 'OPEN_SSDP_SERVER', 'type' => 'INFO', @@ -1028,7 +1013,7 @@ 'timestamp', 'protocol', 'port', - 'size', + 'response_size', ], 'filters' => [ 'asn', @@ -1135,6 +1120,7 @@ ], ], + // https://www.shadowserver.org/what-we-do/network-reporting/open-memcached-report/ 'scan_memcached' => [ 'class' => 'OPEN_MEMCACHED_SERVER', 'type' => 'INFO', @@ -1773,8 +1759,6 @@ 'region', 'city', 'naics', - 'sic', - 'response', ], ], @@ -1795,8 +1779,6 @@ 'region', 'city', 'naics', - 'sic', - 'response', ], ], @@ -2328,7 +2310,6 @@ 'ip', 'hostname', 'port', - 'version', ], 'filters' => [ 'asn', @@ -2349,7 +2330,6 @@ 'ip', 'hostname', 'port', - 'version', ], 'filters' => [ 'asn', @@ -2608,7 +2588,6 @@ 'timestamp', 'ip', 'hostname', - 'protocol', 'port', ], 'filters' => [ @@ -2629,7 +2608,6 @@ 'timestamp', 'ip', 'hostname', - 'protocol', 'port', ], 'filters' => [