Report Open Access

Shadowserver reports automated tool

Janevski, Viktor; Lopienski, Sebastian; Lueders, Stefan

MARC21 XML Export

<?xml version='1.0' encoding='UTF-8'?>
<record xmlns="">
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">CERN openlab summer student </subfield>
  <controlfield tag="005">20191104071116.0</controlfield>
  <controlfield tag="001">61229</controlfield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Summer Student Supervisor</subfield>
    <subfield code="a">Lopienski, Sebastian</subfield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Summer Student Supervisor</subfield>
    <subfield code="a">Lueders, Stefan</subfield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">1101259</subfield>
    <subfield code="z">md5:2864fc031727056065ad3033fe696c2f</subfield>
    <subfield code="u"></subfield>
  <datafield tag="542" ind1=" " ind2=" ">
    <subfield code="l">open</subfield>
  <datafield tag="260" ind1=" " ind2=" ">
    <subfield code="c">2016-08-31</subfield>
  <datafield tag="909" ind1="C" ind2="O">
    <subfield code="p">user-cernopenlab</subfield>
    <subfield code="o"></subfield>
  <datafield tag="100" ind1=" " ind2=" ">
    <subfield code="u">CERN openlab Summer Student</subfield>
    <subfield code="a">Janevski, Viktor</subfield>
  <datafield tag="245" ind1=" " ind2=" ">
    <subfield code="a">Shadowserver reports automated tool</subfield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">user-cernopenlab</subfield>
  <datafield tag="540" ind1=" " ind2=" ">
    <subfield code="u"></subfield>
    <subfield code="a">Creative Commons Attribution 4.0 International</subfield>
  <datafield tag="650" ind1="1" ind2="7">
    <subfield code="a">cc-by</subfield>
    <subfield code="2"></subfield>
  <datafield tag="520" ind1=" " ind2=" ">
    <subfield code="a">&lt;p&gt;Project Specification&lt;/p&gt;

&lt;p&gt;Every day, CERN receives mail notifications from Shadowserver, which include results of network scans for specific vulnerabilities of various types1 for autonomous system number (ASN) 513, which is under the control of CERN.&lt;/p&gt;

&lt;p&gt;Checking these e-mail reports manually is time-consuming and not scalable. Instead, the CERN Computer Security Team prefers some kind of a tool for:&lt;/p&gt;

&lt;p&gt; extracting data from e-mails ( attachments or embedded links to CSV files);&lt;/p&gt;

&lt;p&gt; confirming reports by running additional scans from inside the network;&lt;/p&gt;

&lt;p&gt; handling repeated reports for the same device;&lt;/p&gt;

&lt;p&gt; dealing with known false positives / whitelisting;&lt;/p&gt;

&lt;p&gt; filtering out non-CERN hosts;&lt;/p&gt;

&lt;p&gt; sending Security Event Management System (SEMS) notifications;&lt;/p&gt;

&lt;p&gt; etc.&lt;/p&gt;


&lt;p&gt;The Shadowserver Foundation is offering a completely free-of-charge alerting and reporting service designed for ISPs, enterprises, hosting providers and other organizations that own or control a particular network space. The variety of reports provided to organizations serve as intelligence and assist in the process of locating and mitigating the security issues which occur inside their network. Being subscribed to this scanning and reporting service, CERN receives daily summaries of the security issues that happened during the past day.&lt;/p&gt;

&lt;p&gt;Analysing and handling all the reported issues manually is a time-consuming, tedious and repetitive job, because it would require a particular person from the Computer Security Team to go through a series of steps every day. In addition, the manual approach is not scalable and tends to be error-prone, which might lead to important things being missed.&lt;/p&gt;

&lt;p&gt;The main goal of this project is to create an automated tool that would be capable of extracting the relevant data from the received reports. However, it should not simply store the information in a database, but somehow notify the device owners that their devices were involved in a particular security issue. Also, it should be able to keep track of who was notified about what and when, in order to avoid sending multiple messages to a person about the same problem in a short period of time.&lt;/p&gt;

&lt;p&gt;The output of the tool is a detailed report which provides an overview of the security vulnerabilities that occurred inside CERN&amp;#39;s network during the last 24 hours, as well as a command line tool for whitelisting and managing already whitelisted devices.&lt;/p&gt;</subfield>
  <datafield tag="024" ind1=" " ind2=" ">
    <subfield code="a">10.5281/zenodo.61229</subfield>
    <subfield code="2">doi</subfield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">publication</subfield>
    <subfield code="b">report</subfield>
All versions This version
Views 8787
Downloads 228228
Data volume 251.1 MB251.1 MB
Unique views 7878
Unique downloads 198198


Cite as