Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update taxonomies to current RSIT and vice-versa #1380

Closed
5 of 21 tasks
ghost opened this issue Feb 15, 2019 · 2 comments
Closed
5 of 21 tasks

Update taxonomies to current RSIT and vice-versa #1380

ghost opened this issue Feb 15, 2019 · 2 comments
Labels
bug Indicates an unexpected problem or unintended behavior data-format
Milestone
2.0.0

Comments

@ghost
Copy link

ghost commented Feb 15, 2019
edited by ghost
Loading

There are currently multiple mismatches as noted in #1350

Our taxonomies are using a space character while the enisa version uses dashes. E.g. malicious code (intelmq) vs malicious-code (enisa). A summary of our differences:

From the taxonomy expert bot code, in intelmq but in not in ENISA eCSIRT-II taxonomy

  • "dropzone": "information content security", # not in ENISA eCSIRT-II taxonomy
  • "leak": "information content security", # not in ENISA eCSIRT-II taxonomy
  • "backdoor": "intrusions", # not in ENISA eCSIRT-II taxonomy
  • "compromised": "intrusions", # not in ENISA eCSIRT-II taxonomy,
  • "defacement": "intrusions", # not in ENISA eCSIRT-II taxonomy
  • "unauthorized-command": "intrusions", # not in ENISA eCSIRT-II taxonomy
  • "unauthorized-login": "intrusions", # not in ENISA eCSIRT-II taxonomy
  • "botnet drone": "malicious code", # not in ENISA eCSIRT-II taxonomy, deprecated -> infected system
  • "dga domain": "malicious code", # not in ENISA eCSIRT-II taxonomy
  • "malware": "malicious code", # not in ENISA eCSIRT-II taxonomy
  • "ransomware": "malicious code", # not in ENISA eCSIRT-II taxonomy
  • "other": "other", # not in ENISA eCSIRT-II taxonomy
  • "proxy": "other", # not in ENISA eCSIRT-II taxonomy
  • "tor": "other", # not in ENISA eCSIRT-II taxonomy
  • "unknown": "other", # not in ENISA eCSIRT-II taxonomy
  • "vulnerable client": "vulnerable", # not in ENISA eCSIRT-II taxonomy
  • "vulnerable service": "vulnerable", # not in ENISA eCSIRT-II taxonomy

Differently named types:

  • "ids alert": "intrusion attempts", # ENISA eCSIRT-II taxonomy: 'ids-alert'
  • "c&c": "malicious code", # ENISA eCSIRT-II taxonomy: 'c2server'
  • "infected system": "malicious code", # ENISA eCSIRT-II taxonomy: 'infected-system'
  • "malware configuration": "malicious code", # ENISA eCSIRT-II taxonomy: 'malware-configuration'

From an intelmq perspective we always need to care about backwards compatibility.

cc @aaronkaplan @th-certbund

https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force
@ghost ghost added bug Indicates an unexpected problem or unintended behavior data-format labels Feb 15, 2019
@ghost ghost added this to the 2.0.0 milestone Feb 15, 2019
@aaronkaplan
Copy link
Member

so from what I get from #1350 the conclusion was to fix it in the next major release, right?

@ghost ghost self-assigned this May 14, 2019
@ghost ghost closed this as completed in e25cf7c May 14, 2019
@ghost
Copy link
Author

ghost commented May 14, 2019

Did everything we can do here, next step Taxonomy meeting, split off #1409 for this

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Indicates an unexpected problem or unintended behavior data-format
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
1 participant
@aaronkaplan