Report Open Access

Shadowserver reports automated tool

Janevski, Viktor; Lopienski, Sebastian; Lueders, Stefan

DataCite XML Export

<?xml version='1.0' encoding='utf-8'?>
<resource xmlns:xsi="" xmlns="" xsi:schemaLocation="">
  <identifier identifierType="DOI">10.5281/zenodo.61229</identifier>
      <creatorName>Janevski, Viktor</creatorName>
      <affiliation>CERN openlab Summer Student</affiliation>
      <creatorName>Lopienski, Sebastian</creatorName>
      <affiliation>Summer Student Supervisor</affiliation>
      <creatorName>Lueders, Stefan</creatorName>
      <affiliation>Summer Student Supervisor</affiliation>
    <title>Shadowserver reports automated tool</title>
    <subject>CERN openlab summer student </subject>
    <date dateType="Issued">2016-08-31</date>
  <resourceType resourceTypeGeneral="Text">Report</resourceType>
    <alternateIdentifier alternateIdentifierType="url"></alternateIdentifier>
    <relatedIdentifier relatedIdentifierType="URL" relationType="IsPartOf"></relatedIdentifier>
    <rights rightsURI="">Creative Commons Attribution 4.0 International</rights>
    <rights rightsURI="info:eu-repo/semantics/openAccess">Open Access</rights>
    <description descriptionType="Abstract">&lt;p&gt;Project Specification&lt;/p&gt;

&lt;p&gt;Every day, CERN receives mail notifications from Shadowserver, which include results of network scans for specific vulnerabilities of various types1 for autonomous system number (ASN) 513, which is under the control of CERN.&lt;/p&gt;

&lt;p&gt;Checking these e-mail reports manually is time-consuming and not scalable. Instead, the CERN Computer Security Team prefers some kind of a tool for:&lt;/p&gt;

&lt;p&gt; extracting data from e-mails ( attachments or embedded links to CSV files);&lt;/p&gt;

&lt;p&gt; confirming reports by running additional scans from inside the network;&lt;/p&gt;

&lt;p&gt; handling repeated reports for the same device;&lt;/p&gt;

&lt;p&gt; dealing with known false positives / whitelisting;&lt;/p&gt;

&lt;p&gt; filtering out non-CERN hosts;&lt;/p&gt;

&lt;p&gt; sending Security Event Management System (SEMS) notifications;&lt;/p&gt;

&lt;p&gt; etc.&lt;/p&gt;


&lt;p&gt;The Shadowserver Foundation is offering a completely free-of-charge alerting and reporting service designed for ISPs, enterprises, hosting providers and other organizations that own or control a particular network space. The variety of reports provided to organizations serve as intelligence and assist in the process of locating and mitigating the security issues which occur inside their network. Being subscribed to this scanning and reporting service, CERN receives daily summaries of the security issues that happened during the past day.&lt;/p&gt;

&lt;p&gt;Analysing and handling all the reported issues manually is a time-consuming, tedious and repetitive job, because it would require a particular person from the Computer Security Team to go through a series of steps every day. In addition, the manual approach is not scalable and tends to be error-prone, which might lead to important things being missed.&lt;/p&gt;

&lt;p&gt;The main goal of this project is to create an automated tool that would be capable of extracting the relevant data from the received reports. However, it should not simply store the information in a database, but somehow notify the device owners that their devices were involved in a particular security issue. Also, it should be able to keep track of who was notified about what and when, in order to avoid sending multiple messages to a person about the same problem in a short period of time.&lt;/p&gt;

&lt;p&gt;The output of the tool is a detailed report which provides an overview of the security vulnerabilities that occurred inside CERN&amp;#39;s network during the last 24 hours, as well as a command line tool for whitelisting and managing already whitelisted devices.&lt;/p&gt;</description>
All versions This version
Views 103103
Downloads 345344
Data volume 379.9 MB378.8 MB
Unique views 9494
Unique downloads 303302


Cite as